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Abstract 

In this paper we develop techniques that eliminate the need of the Generalized Rie- 
mann Hypothesis (GRH) from various (almost all) known results about deterministic 
polynomial factoring over finite fields. Our main result shows that given a polynomial 
f{x) of degree n over a finite field k, we can find in deterministic poly{n}°^^ , log |A:|) 
time either a nontrivial factor of f{x) or a nontrivial automorphism of k[x]/{f{x)) of 
order n. This main tool leads to various new GRH-free results, most striking of which 
are: 

1. Given a noncommutative algebra A of dimension n over a finite field k. There 
is a deterministic poly{n^°^"' , log |fc|) time algorithm to find a zero divisor in A. 
This is the best known deterministic GRH-frcc result since Friedl and Ronyai 
(STOC 1985) first studied the problem of finding zero divisors in finite algebras 
and showed that this problem has the same complexity as factoring polynomials 
over finite fields. 

2. Given a positive integer r such that either 8|r or r has at least two distinct 
odd prime factors. There is a deterministic polynomial time algorithm to find a 
nontrivial factor of the r-th cyclotomic polynomial over a finite field. This is the 
best known deterministic GRH-free result since Huang (STOC 1985) showed 
that cyclotomic polynomials can be factored over finite fields in deterministic 
polynomial time assuming GRH. 

In this paper, following the seminal work of Lenstra (1991) on constructing isomor- 
phisms between finite fields, we further generalize classical Galois theory constructs 
like cyclotomic extensions, Kummer extensions, Teichmiiller subgroups, to the case of 
commutative semisimple algebras with automorphisms. These generalized constructs 
help eliminate the dependence on GRH. 



1 Introduction 

The problem of finding a nontrivial factor of a given polynomial over a finite field is a fun- 
damental computational problem. There are many problems whose known algorithms first 
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require factoring polynomials. Thus, polynomial factoring is an intensely studied question 
and various randomized polynomial time algorithms are known - Berlekamp |Be67 ] , Rabin 
[RabSO] ■ Cantor and Zassenhaus |CZ81| . von zur Gathen and Shoup |GS92| . Kaltofen and 
Shoup |KS98j - but its deterministic complexity is a longstanding open problem. There 
are although several partial results known about the deterministic complexity of poly- 
nomial factoring based on the conjectured truth of the generalized Riemann Hypothesis 
(GRH). The surprising connection of GRH with polynomial factoring is based on the fact 
that if GRH is true and r is a prime dividing (|fc| — 1) then one can find primitive r-th 
nonresidues in the finite field k, which can then be used to factor 'special' polynomials, 
x"^ — a over k, in deterministic polynomial time (see |Ev89j ) . 

Based on this are many deterministic factoring algorithms known, but all of them are 
super-polynomial time except on special instances. 

The special instance when the degree n of the input polynomial f{x) has a "small" 
prime factor r has been particularly interesting. Ronyai |R687j showed that under GRH 
one can find a nontrivial factor of /(x) in deterministic polynomial time. Later it was 
shown by Evdokimov |Ev94| that Ronyai's algorithm can be modified to get under GRH a 
deterministic algorithm that factors any input polynomial f{x) E k[x] of degree n in sub- 
exponential time poly log \k\). This line of approach has since been investigated, in 
an attempt to remove GRH or improve the time complexity, leading to several algebraic- 
combinatorial conjectures and quite special case solutions |CH001 [GaoOH [IKS 08] . 

Some other instances studied have been related to the Galois group of the given polyno- 
mial over rationals. Ronyai [Ro89b] showed under GRH that any polynomial f{x) G 
can be factored modulo p deterministically in time polynomial in the size of the Galois 
group over Q of /, except for finitely many primes p. Other results of a similar flavor are: 
Evdokimov |Ev89| showed under GRH that f{x) can be factored in deterministic polyno- 
mial time if it has a solvable Galois group while Huang [Hua85j showed under GRH that 
f{x) can be factored in deterministic polynomial time if it has an Abelian Galois group. 

Another instance studied is that of "special" finite fields. Bach, von zur Gathen and 
Lenstra |BGL01| showed under GRH that polynomials over finite fields of characteristic p 
can be factored in deterministic polynomial time if (pkip) is "smooth" for some integer k, 
where (t>k{x) is the fc-th cyclotomic polynomial. This result generalizes the previous works 
of Ronyai |E689aj . Mignotte and Schnorr |MS88j . von zur Gathen [G87| , Camion [Cam83] 
and Moenck |Moe77] . 

Polynomial factoring has several applications both in the real world - coding theory and 
cryptography - and in fundamental computational algebra problems. The latter kind of 
applications are relevant to this work. Friedl and Ronyai jFR85j studied the computational 
problem of finding the simple components and a zero divisor of a given finite algebra over 
a finite field. They showed that all these problems depend on factoring polynomials over 
finite fields and hence have randomized polynomial time algorithms. Furthermore, they 
have under GRH deterministic sub exponential time algorithms. In this work we give an 
unconditional version of this result. We show that if the given algebra is noncommutative 
then in fact we can find a zero divisor in deterministic subexponential time without needing 
GRH. 
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1.1 Our Results and Techniques 

As we saw above there are several results on polynomial factoring that assume the truth 
of the GRH. Of course one would like to eliminate the need of GRH but that goal is still 
elusive. As a first step in that direction we give in this work GRH free versions of all the 
results mentioned above. In these versions the basic tool is that we either successfully 
find a nontrivial factor of a polynomial f{x) over a finite field k or we find a nontrivial 
automorphism of the algebra k[x]/{f{x)). Formally speaking the main result of the paper 
is: 

Main Theorem: Let A be a commutative semisimple algebra of dimension n over a 
finite field k and let A be given in the input in terms of basis elements over k. Then there 
is a deterministic algorithm which in subexponential time poly{n^"^"' ,log\k\) computes a 
decomposition of A into a direct sum Ai (B ■ ■ ■ (B At and finds an automorphism of order 
dim/c Ai of the algebra Ai, for each 1 < i < t. 

This main theorem can be considered as a GRH-free version of Evdokimov's factoring 
result [Ev94j . but its proof leads us to significantly generalize standard notions and develop 
novel algebraic techniques that suggest a general paradigm for GRH elimination. We are 
going to use it as a tool for more important applications but first let us explain the 
importance of this result itself. It is the first deterministic subexponential time algorithm 
to find a nontrivial automorphism of a given commutative semisimple algebra over a finite 
field. Finding a nontrivial automorphism of a given arbitrary ring is in general as hard as 
integer factoring [KS05j but our result shows that it might be a lot easier for a commutative 
semisimple algebra over a finite field. Note that in the special case when A = k[x]/{f{x)) 
with f{x) splitting over k as YYj=i (x — aj), with ai, . . . , a„ all distinct, we have A = ©"=i 
k[x]/{x — aj). The above algorithm either gives t > 1 components of ^ - in which case 
it effectively yields a nontrivial factor of /(x) - or t = 1 and it gives an automorphism a 
of A of order n, thus yielding n distinct "roots" of f{x) - x, cr{x), . . ., a^~^{x) - all living 
in ^ \ fe. This latter case can be interpreted as finding roots over finite fields in terms 
of "radicals" , in analogy to classical Galois theory where one studies rational polynomials 
whose roots can be expressed by radicals, see Section H] for details. 

The key ideas in finding a nontrivial automorphism of a given commutative semisimple 
;S-algebra A over a finite field k <^ B are as follows. We consider a special ideal A' (what 
we call the essential part in Section [52]) of the tensor product A^b-^- The ideal A' is just 
the kernel of a standard homomorphism of A<Sii3 A onto A and has rank ("dimension") 
rk6^(rk6^ — 1) over B. The algebra A gets naturally embedded in A' by a map (j), 
hence A' is an extension algebra of (p{A) = A which in turn is an extension algebra of 
(j){B) = B. Also, we know a natural automorphism of A' fixing B - the map r : x ?/ i— > 
y ® X. A lot of technical effort goes into "bringing down" this automorphism (or certain 
other automorphism a of order 2 obtained by recursion) from A! to A, i.e. getting a B- 
automorphism a' of A. The technical arguments fall into two cases, depending on whether 
rk_4^' = i^lqA' /vk]sA is odd or even. 

(1) If the rank rkg^ is even then rk_4^' is odd. We find an element u ^ A! with 

= —u. If u € A then the restriction of r is a ;S-automorphism of the subalgebra B[u] 
of A generated by B and u. If u ^ A then either the subalgebra A[u] of A' is not a free 
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^-module or A! is not a free „4[u]-module. Both cases give us a zero divisor in to go 
to a smaller ideal X of A! such that we know an automorphism of T, it contains a "copy" 
of A and rk_4X is odd, thus we can continue this "descent" (from A! to T) till we have a 
;S-automorphism of ^ or of a subalgebra of A (this process appears in Section ISTT]) . In 
the former case we are done while in the latter case we use two recursive calls and certain 
techniques to "glue" the three available automorphisms. (2) If the rank rkg^ is odd then 
rk_4^' is even and we can use the technique above to find an ^-automorphism a of It 
turns out that a and r generate a group of automorphisms of A! which is big enough to 
find a proper ideal X of A! efficiently. We may further assume that the rank of X over A 
is at most rk^^'/2 = (rkg^ — l)/2. This allows us a recursive call with {X^A) in place of 
(^, B) to get an ^-automorphism of T, which we eventually show is enough to extract an 
automorphism of A using tensor properties and a recursive call (this case 2 gets handled 
in [Oil. 

This algebraic-extensions jugglery either goes through and yields a nontrivial auto- 
morphism a' of A fixing B or it "fails" and yields a zero divisor in A which we use to 
"break" A into smaller subalgebras and continue working there. As in each recursive call, 
in the above two cases, the rank of the bigger algebra over the subalgebra is at most half 
of the original one, the depth of the recursion is at most logrkg^. This gives an n^°s" 
term in the time complexity analysis. 

Roots of unity play a significant role in gluing automorphisms (i.e. in extending an 
automorphism of a subalgebra, of elements fixed by another automorphism, to the whole 
algebra). The gluing process is described in Section 14.41 As we do not know roots of 
unity in k we resort to attaching virtual r-th roots of unity for a suitable prime r, i.e. 
working in the cyclotomic extension k[C,r\ '■= k[x] / {Y^l~l x^) and ^'[Cr] := ^[Cr] <^kA'. 
We then need to generalize standard algebraic constructions, like Kummer extensions and 
Teichmiiller subgroups which were first used in a context similar to ours by Lenstra |L91] 
to find isomorphisms between fields, to our situation of commutative semisimple algebras. 

The above theorem and its proof techniques have important applications. The first 
one is in finding zero divisors in a noncommutative algebra. 

Application 1: Let A he an algebra of dimension n over a finite field k and let A 
be given in the input in terms of basis elements over k. Assume that A is noncommu- 
tative. Then there is a deterministic algorithm which finds a zero divisor in A in time 
j)o/?/(nl°S",log|fc|). 

The previous best result was due to Ronyai |R690j who gave an algorithm invoking 
polynomial factorization over finite fields and hence taking sub exponential time assuming 
GRH. Our result removes the GRH assumption. It is interesting to note that if we prove 
such a result for commutative algebras as well then we would basically be able to factor 
polynomials in subexponential time without needing GRH. 

If ^ is a simple algebra over the finite field k then it is isomorphic to the algebra 
Mra{K) of the m X m matrices with entries from an extension field K oi k. By Appli- 
cation 1 we find a proper left ideal of A. A recursive call to a certain subalgebra of the 
left ideal will ultimately give a minimal left ideal of A and using this minimal one-sided 
ideal an isomorphism with Mm{K) can be efficiently computed. Thus, for constant m. 
Application 1 extends Lenstra's result (on computing isomorphisms between input fields) 
to noncommutative simple algebras, i.e, the explicit isomorphism problem is solved in this 
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case. We note that, in general, algebra isomorphism problem over finite fields is not "be- 
lieved" to be NP-hard but it is at least as hard as the graph isomorphism problem |KS05] . 
We also remark that the analogous problem of constructing isomorphism with the algebra 
of matrices over the rationals has a surprising application to rational parametrization of 
certain curves, see |GHPS06] . 

The techniques used to prove Main Theorem can be applied to find a nontrivial factor 
of an r-th cyclotomic polynomial over a finite field k, for almost all r's, in deterministic 
polynomial time. 

Application 2: Let r be a positive integer such that the multiplicative group Z* is 
noncyclic and let (t)r{x) he the r-th cyclotomic polynomial. Then we can find a nontrivial 
factor of (j)r{x) over a finite field k in deterministic poly{r, log \k\) time. 

Roots of an r-th cyclotomic polynomial over k are the r-th roots of unity and thus 
naturally related to all polynomial factoring algorithms. Assuming GRH several algo- 
rithms are known to factor these important polynomials (see jEv89] ) . The above result 
gives the first deterministic polynomial time algorithm to nontrivially factor "most" of 
the cyclotomic polynomials without assuming GRH. 

The third application of the techniques used to prove Main Theorem is in the instance 
of polynomial factoring over prime fields when we know the Galois group of the input 
polynomial. The following theorem can be seen as the GRH-free version of the main 
theorem of Ronyai |R689b] . 

Application 3: Let F{X) G be a polynomial irreducible over Q with Galois group 

of size m and let L be the maximum length of the coefficients of F{X). Letp be a prime not 
dividing the discriminant of F{X) and let f{x) = F{X) (mod p). Then by a deterministic 
algorithm of running time poly {m, L, log p) we can find either a nontrivial factor of f{x) 
or a nontrivial automorphism of ¥ p[x\ / {f {x)) of order degf. 

The fourth application of the techniques used to prove Main Theorem is in the instance 
of polynomial factoring over Fp when p is a prime with smooth (p — 1). The following 
theorem can be seen as the GRH-free version of the main theorem of Ronyai |R689a ] . 

Application 4: Let f{x) be a polynomial of degree n, that splits into linear factors over 
Fp. Let ri < . . . < rt be the prime factors of [p — 1). Then by a deterministic algorithm of 
running time poly{rt,n, logp), we can find either a nontrivial factor of f{x) or a nontrivial 
automorphism of ¥p[x]/{f{x)) of order n. In fact, we always find a nontrivial factor of 
f{x) in case n / lcm{ri — 1|1 < i < t}. 

Thus over "special" fields (i.e. when p — 1 has only small prime factors) the above 
actually gives a deterministic polynomial time algorithm, a significant improvement over 
Main Theorem. 

1.2 Organization 

In Section [2] we collect various standard objects and structural facts associated to algebras. 
We also discuss the three basic methods that lead to discovering a zero divisor in an algebra 
- finding discrete log for elements of prime-power order, finding a free base of a module 
and refining an ideal by a given automorphism. 
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In this work we use methods for finding zero divisors in algebras in the case when 
certain groups of automorphisms are given. One of such methods is computing fixed sub- 
algebras and testing freeness over them. In Section [3] we give a characterization of algebras 
and groups which survive these kinds of attacks. These algebras, called semiregular wrt 
the group, behave like fields in the sense that the whole algebra is a free module over the 
subalgebra of fixed points of the group and the rank equals the size of the group. 

In Section [J] we build a small theory for the main algebraic construction, Kummer- 
type extensions over algebras, that we are going to use. We investigate there the action of 
the automorphisms of an algebra „4 on a certain subgroup, Teichmiiller subgroup, of the 
multiplicative group of a Kummer-type extension of A. The proofs of Applications 2 and 
3 get completed in this section. 

In Section [5] we apply the machinery of Section U] to the tensor power algebras and 
complete the proof of Main Theorem. 

In Section [6] we find suitable subalgebras of a given noncommutative algebra to invoke 
Main Theorem and complete the proof of Application 1. 

In Section \7\ we use the techniques developed for the Main Theorem in the case of 
special finite fields and complete the proof of Application 4. 

2 Preliminaries 

In this section we list some algebraic notions that we use in this work and that can be 
found in standard algebra texts, for example |La80] . 

Rings, Units and Zero-divisors: A ring with identity (or ring, for short) R is a set 
of elements together with two operations - denoted by addition + and multiplication ■ 
— such that (i?, +) is an Abelian group, • is associative, distributes over + and has an 
identity element 1r. Note that the set R* , containing all the elements of R that have 
a multiplicative inverse, is a multiplicative group called the group of units. For a prime 
integer r we call a unit x an r-element if the multiplicative order of x is a power of r. 
An element x is called a zero divisor if x 7^ and there exist nonzero y,y' £ A such that 
yx = xy' = 0. 

Modules: Let (i?, +, •) be a commutative ring and (M, +) be an Abelian group. We call 
M an R-module wrt an operation R x M ^ M (called scalar multiplication and denoted 
as rx for r G R and x G M) if for all r,s £ R',x,y G M, we have: r{x + y) = rx + ry; 
(r + s)x = rx + sx; {rs)x = r{sx) and Ix = x. Note that a vector space V over a field F 
is also an F-module. 

Free and Cyclic: For an i?-module M, a set E C M is called a free basis of M if: S is a 
generating set for M, i.e. every element of M is a finite sum of elements of E multiplied 
by coefficients in R, and is a free set, i.e. for all ri,...,r„ G R; ei,...,en 
rici + • • • + r„e„ = implies that ri = • • • = r„ = 0. A free module is a module with a 
free basis. \E\ is called the rank or dimension of the free module M over R. Clearly, a 
vector space is a free module. A module is called a cyclic module if it is generated by one 
element. 

Algebras: Let {R,+,-) be a commutative ring and {A,+,-) be a ring which is also an 
i2-module, where the additive operation of ^ as a module coincides with +. We say that A 
is an associative i?-algebra with identity (or just an R-algebra for short) if multiplication 
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by elements of R commutes with multiplication by elements of A: for every r E R and for 
every a,b & A we have r{ab) = {ra)b = a{rb). 

Subalgebras: A subalgebra B of an i?-algebra {A,+, •) is just a submodule of A closed 
under multiplication. In this paper unless otherwise stated, by a subalgebra of A we 
mean a subalgebra containing the identity element 1^. Note that if H is a commutative 
subalgebra of A then ^ is a ^S-modulc in a natural way. If, furthermore, B is contained 
in the center of A (that is, ab = ba for every a E A and for every b & B) then ^ is a 
B-algebra. 

Presentation: In this work we will consider only fc-algebras A that are finite dimensional 
over a finite field k. So we can assume that an algebra A is always presented in the 

input-output in terms of an additive basis of {A, +) over k, i.e. there are basis elements 
bi, . . . ,bn £ A such that A = kbi + • • • + kbn and furthermore Oj j £ G k are given such that 
h • bj = ciij^ibi- Such an n is called the dimension, dim^A, of A over k. 

Extension: If B is a commutative fc-algebra and a i3-algcbra A is also a free module over 

B then wc call A an algebra extension or an extension algebra over B. This terminology is 
justified by the fact that B is embedded into (the center of) A by the map b ^ Wc 
denote the rank ( "dimension" ) of „4 as a ;B-module by rkg^ or : ;S] . We sometimes use 
this notation also when there is an implicit embedding of B in A. 

Primitive Element: We call an algebra extension A over B simple if there is an a G .4 
such that {1, a, . . ., a"~^} forms a free basis of A over B. We call a a primitive element 
and write ^ = ;S[a]. 

Following is a version of the standard Primitive Element Theorem. 

Fact 1. If K ^ F are fields such that char F is or > [K : F]^ , then K has a primitive 
element over F . 

There are two natural operations defined on algebras - the direct sum and the tensor 
product - each constructs a bigger algebra. 

Direct Sum: Let (^i,-|-,-) and (^2,+r) be two algebras. Then the direct sum algebra, 
.4i .42, is the set {(01,02) | a\ G Ai,a2 G .42} together with component- wise addition 
and multiplication operations. In a similar vein, for subalgebras .4i,.42 of an algebra A 
we write .4 = .4i © .42, if .4 = .4i + .42 and .4i, .42 are orthogonal i.e. V ai G .4i, 02 G .42, 

0102 = 02(11 = 0. 

Tensor Product: Furthermore, if B is a commutative algebra such that .4i,.42 are B- 
algebras of dimensions ni,n2 respectively over B then their tensor product algebra wrt B, 

Ai 0/3 A2, is the set {oi 02 | oi G 4,i, 02 G A2} naturally viewed as a i3-module having 
the multiplication operation: (oi 02)- {a[ 02) = {aia'i 02O2) for all oi, a[ G .4i and 
02,02 G .42- Note that the tensor product algebra has dimension nin2 over B. Thus, if B 
is finite then |.4i .42| = while |.4i ^bA2\ = 

Nilpotent and Idempotent: In an algebra A wc call an element x ^ A nilpotent if 
X™ = for some m G Z, while we call x idempotent if x^ = x. It is called a primitive 
idempotent if it cannot be expressed as the sum of two idempotents whose product is zero. 
It is called nontrivial if it is not or 1. 

Decomposability: An algebra A is called indecomposable if there are no nonzero algebras 
R, S such that A = R®S. 
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Following are some standard facts relating decomposability to idempotents in commu- 
tative algebras. 

Fact 2. Let A be a commutative algebra then: 

(1) A decomposes iff A has a nontrivial idempotent. 

(2) If e is an idempotent in A then A = eA © (1 — e)A. 

(3) If e is a primitive idempotent in A then eA is indecomposable. 

Ideal: An ideal I of an algebra ^ is a subset that is an additive subgroup of A, is closed 
under multiplication and it contains both al := {a ■ i \ i £ I}; la := {i ■ a \ i £ 1} for all 
a € A. Note that {0} and A are ideals of A, we call them trivial ideals. Also note that 
proper ideals are not subalgebras in the strict sense used in this paper. 
Semisimplicity: An algebra A is called simple if it has no nontrivial ideal. An algebra 
is called semisimple if it is a direct sum of simple algebras. 

Following are some standard facts about commutative semisimple algebras. 

Fact 3. Let A be a commutative semisimple algebra then: 

(1) A is a direct sum of fields. 

(2) If I is an ideal of A and I^ := {a £ A \ al = 0} (called the complement of I) then 
A = I ® I^ ■ Furthermore, there exists an idempotent e of A such that I = eA thus giving 
an explicit projection from A to I. 

Following is the celebrated Artin-Wedderburn Theorem that classifies semisimple al- 
gebras. 

Fact 4. Any semisimple algebra A is isomorphic to a direct sum of Ui XUi matrix algebras 
over division rings Di (i.e. Di satisfies all field axioms except commutative multiplication). 
Both the Hi 's and Di 's are uniquely determined up to permutation of the indices i . 

Morphisms: Let i;^ be a map between two algebras A, B. If (p preserves the addition 
and multiplication operations of the algebras then we call it a homomorphism. If the 
homomorphism is injective then we call it an embedding. If the homomorphism is 
both injective and surjective then we call it an isomorphism. A homomorphism from an 
algebra to itself is called an endomorphism. An isomorphism from an algebra to itself is 
called an automorphism. A set S is said to be invariant under the automorphism of ^ 
if for all s £ S, cj}{s) £ S. (j) is said to fix S ii (p fixes each element of S, i.e. for all s £ S, 
(j){s) = s. The group of 5'-automorphisms of A, Auts{A), is the set of all automorphisms 
of A that fix 5. 

Throughout this paper all algebras are algebras with identity elements. Unless oth- 
erwise stated explicitly, by a subalgebra we mean a subalgebra containing the identity 
element. Thus, in this strict sense a proper ideal is not considered as a subalgebra. In the 
rest of this section A stands for a commutative semisimple algebra over the finite field k. 

2.1 Discrete Log for r-elements 

Given two r-elements (i.e. having order a power of the prime r) in a commutative semisim- 
ple algebra there is an algorithm that computes the discrete logarithm or finds a zero 
divisor (of a special form) in A. We describe this algorithm below, it is a variant of the 
Pohlig-Hellman [PHTSj algorithm with the equality testing of elements replaced by testing 
whether their difference is a zero divisor. 
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Lemma 2.1. Given a prime r distinct from the characteristic of a finite field k, a finite 
dimensional commutative semisimple algebra A over k and two r -elements a,b £ A* , such 
that the order of a is greater than or equal to the order of b. There is a deterministic 
algorithm which computes in time poly {r, log \ A\): 

(1) either two non-negative integers s,s' such that a* — 6* is a zero divisor in A, 

(2) or an integer s > with a* = h. 

Proof. Let ta be the smallest non negative integer such that a*"*" — 1 is zero or a zero divisor 
in A. Since ta < log^ |^| we can compute a*" — 1, — 1, . . . , a*" " — 1 in poly{\og \ A\) 
time via fast exponentiation. We are done if 7^ a*" " — 1 = a'' " — fe'^ is a zero divisor. 
Therefore we may assume that a'' " =1, i.e. the order of a is r*". Let tb be the smallest 
non-negative integer such that 6^**" — 1 is a zero divisor. Like can be computed in 

polynomial time and we may again assume that r*' is the order of b. Replacing a with 
" ''we may assure that ta = ti, = t. In this case for every primitive idempotent e of A: 
ea, eb have order r* in the finite field eA. As the multiplicative group of a finite field is 
cyclic, this means that there exists a nonnegative integer s < r* such that (ea)* = eb. So 
we now attempt to find this discrete log, s, and the corresponding idempotent e as well. 

We iteratively compute the consecutive sections of the base r expansion of s. To 
be more specific, we compute integers sq = 0, si, S2, . . . , st together with idempotents 
ei,...,et of A such that, for all 1 < j < t: < Sj < , Sj = Sj-i (mod r^'^) and 
^ = b^ Cj. 

In the initial case j = 1 we find by exhaustive search, in at most r rounds, an si G 
{1, . . . , r — 1} such that zi = {a^ ^'^ — W ) is zero or a zero divisor. If it is zero then we 
set ei = 1 otherwise we compute and set ei equal to the identity element of the annihilator 
ideal {x G A\zix = 0}. 

Assume that for some j < t we have found already Sj and ej with the desired property. 
Then we find by exhaustive search, in at most r rounds, an integer dj^i E {0, . . . ,r — 1} 
such that Zj-^.l = (^a^^^'^'^^'^^+^^^* ^ —b^*^ ) is zero or a zero divisor. We set Sj+i = {sj + 
dj^ir^) and take as e^+i the identity element of the annihilator ideal {x G ejA\xzj-^i = 0}. 

The above procedure clearly terminates in t rounds and using fast exponentiation can 
be implemented in poly{r, log \ A\) time. □ 

2.2 Free Bases of Modules 

One of the possible methods for finding zero divisors in algebras is attempting to compute 
a free basis of a module over it. Following Lemma states the basic tool to do that. 

Lemma 2.2. Let V be a finitely generated module over a finite dimensional algebra A 
over a finite field k. If V is not a free A-module then one can find a zero divisor in A 
deterministically in time poZy(dim^ V, log \ A\). 

Proof. We give an algorithm that attempts to find a free basis of V over A, but as there 
is no free basis it ends up finding a zero divisor. 

Pick a nonzero vi G V . We can efficiently check whether a nonzero x £ A exists such 
that xvi = 0, and also find it by linear algebra over k. If we get such an x then it is a 
zero divisor, for otherwise x~^ would exist implying vi = 0. So suppose such an x does 
not exist, hence Vi := Av\ is a free .A-module. Now V\^V so find a € F \ Vi by linear 
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algebra over k. Again we can efficiently check whether a nonzero x £ A exists such that 
XV2 S Vi, and also find it by linear algebra over k. If we get such an x then it is a zero 
divisor, for otherwise x~^ would exist implying V2 G Vi. So suppose such an x does not 
exist, hence V2 := Avi +Av2 is a free ^-module. Now V2 ^ V so we can find a ^3 G V\V2 
by linear algebra over k and continue this process. This process will, in at most dimjV 
iterations, yield a zero divisor as V is not a free ^-module. □ 

2.3 Automorphisms and Invariant Ideal Decompositions 

Automorphisms of A are assumed to be given as linear transformations of the A;-vector 
space A in terms of a A:-linear basis of A. For images we use the superscript notation while 
for the fixed points the subscript notation: if a is an automorphism of A then the image 
of X G A under a is denoted by x'^. If F is a set of automorphisms of A then denotes 
the set of the elements of A fixed by every a E F. It is obvious that is a subalgebra of 
A. For a single automorphism a we use Aa in place of A^f^y. 

Given an ideal / of ^ and an automorphism cr of ^ we usually try to find zero divisors 
from the action of a on /. Note that, by Fact ^ A = I (B I'^- Now I'^ is an ideal of A, and 
if it is neither I nor Z"*- then we try computing IHI'^ . This can be easily computed by first 
finding the identity element e of I, and then Ir\I" is simply Aee^ . By the hypothesis this 
will be a proper ideal of I, thus leading to a refinement of the decomposition: A = /©/"'". 
This basic idea can be carried all the way to give the following tool that finds a refined, 
invariant, ideal decomposition. 

Lemma 2.3. Given A, a commutative semisimple algebra over a finite field k together 
with a set of k- automorphisms T of A and a decomposition of A into a sum of pair- 
wise orthogonal ideals Ji,...,Js, there is a deterministic algorithm of time complexity 
po^y(|F|, log 1^1) that computes a decomposition of A into a sum of pairwise orthogonal 
ideals Ii, . . . ,It such that: 

(1) the new decomposition is a refinement of the original one ~ for every j G {1, . . . ,t}, 
there exists i S {1, . . . , s} such that Ij C Jj, and 

(2) the new decomposition is invariant under F - the group generated by F permutes the 
ideals Ii, . . . ,It, i.e. for every cr G F and for every index j £ {1, . . . ,t} , we have I J = Ij" 
for some index j" £ {1, . . . ,t}. 

3 Semiregularity 

In this section we continue to assume that ^ is a commutative semisimple algebra over 
a finite field k. Given F C Autfc(^), a basis of can be computed by solving a system 
of linear equations in A. Thus, we can apply the method of Lemma 12.21 considering 
^ as a ^r-module wrt the multiplication in A. In this section we describe a class of 
algebras, together with automorphisms, that are free modules over the subalgebra of the 
fixed points of the corresponding set of automorphisms, i.e. on which the tool of Lemma 
12.21 is ineffective. 

Let o" be a /c-automorphism of A. We say that a is fix-free if there is no nontrivial ideal 
/ of ^ such that a fixes /. We call a group G < Aut(^) semiregular if every non-identity 
element of G is fix-free. A single automorphism cr of „4 is semiregular if a generates a 
semiregular group of automorphisms of A. 
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We have the following characterization of semiregularity. 

Lemma 3.1. Let A be a commutative semisimple algebra over a finite field k and let G 
be a group of k- automorphisms of A. Then dinife .A < |G| • dimi^AG, where equality holds 
if and only if G is semiregular. This condition is also equivalent to saying that A is a free 
Ac-fnodule of rank \G\. 

Proof. The proof is based on the observation that ^ is a direct sum of fields and a k- 
automorphism of A just permutes these component fields. 

Let e be a primitive idempotent of A. We denote the stabilizer of e in G by Ge, i-e, 
Ge = {c G G\e" = e}. Let C be a complete set of right coset representatives modulo Ge in 
G. The orbit of e under G is {e'''|7 G C} and they are \G : Ge\ many pairwise orthogonal 
primitive idempotents in A. This means that the component field eA is sent to the other 
component fields {e'''^|7 G C} by G. Thus, the element / := Yl^y^c ^'^ ^ -^G is a primitive 
idempotent of Aq and equivalently f Aq is a field. 

The subgroup Ge acts as a group of field automorphisms of eA. This gives a restriction 
map A : Ge ^ Aut}^{eA) whose kernel say is A^'e, so A^e = {c G Clo" fixes eA^ is a normal 
subgroup of Ge, thus Ge/Nf, are distinct fc-automorphisms of the field eA. We claim that 
{eA)Ge — ^^G- The inclusion eAc ^ {eA)Ge is trivial. To see the reverse inclusion, let 
X G {eA)Ge ^iid consider y := Yl^yec ■ Since x G eA we get ex = x and y = "^.y^c ^^^"^ i 
whence using the orthogonality of the idempotents e^ , we infer ey = x. The fact that 
y G Ac completes the proof of the claim. As Ge is a group of automorphisms of the field 
eA, this claim implies eAc is a field too and also by Galois theory [eA : eAc] = \Ge/Ne\. 

Observe that ef = e and this makes multiplication by e a onto homomorphism from 
fAc to eAc- This homomorphism is also injective as eAc, fAc are fields, thus making 
fAc — eAc- Together with the fact that fA is a free e.A-module of dimension |G : Ge| 
this implies that diuifj^^ fA = |G : Ge| dime^^ eA. Furthermore, from the last paragraph 
diuie^Afj eA = \Ge ■ Ne\, thus dimj^g fA = |G : A'el < |G|. Finally, this gives dimkfA < 
dimfc fAc '\G\. Applying this for all the primitive idempotents e of ^ (and thus to all the 
corresponding primitive idempotents / of Ac), we obtain the asserted inequality. 

Observe that equality holds iff | A'e] = 1 for every primitive idempotent e of A. In that 
case for every primitive idempotent e of A, there is no non-identity automorphism in G 
that fixes eA, thus equivalently for every nontrivial ideal / of ^ there is no non-identity 
automorphism in G that fixes I. This means that equality holds iff G is semiregular. 

Also, equality holds iff dimj^^^ fA = \G\ for every primitive idempotent e of A. The 
latter condition is equivalent to saying that every component field of Ac has multiplicity 
|G| in the ^G-™odule A, this in turn is equivalent to saying that ^ is a free ^G-™odule 
of dimension |G|. □ 

Using the above Lemma we can decide semiregularity in an efficient way. 

Proposition 3.2. Given a commutative semisimple algebra A over a finite field k, together 
with a set T of k- automorphisms of A. Let G be the group generated byV . In deterministic 
j5o/?/(|r|, log 1^1) time one can list all the elements of G if G is semiregular, or one can 
find a zero divisor of A if G is not semiregular. 

Proof. We first compute At by linear algebra over k. We can assume that ^ is a free 
^r-iiiodule otherwise the algorithm in Lemma 12.21 finds a zero divisor. By Lemma 13.11 
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|G| > dim^p A =: m so try to enumerate (m + 1) different elements in the group G. If we 
are unable to get that many elements then, by Lemma l3. 11 G is semiregular and we end 
up with a list of m elements that exactly comprise G. 

If we do get a set S of (m + 1) elements then G is clearly not semiregular. Let e be a 
primitive idempotent of A such that the subgroup < G, consisting of automorphisms 
that fix eA, is of maximal size. Then from the proof of Lemma [3. II we obtain \G : Ne\ < m 
which means, by pigeon-hole principle, that in the set S there are two different elements 
(71,(72 such that a := (7i(7^ S N^, thus a fixes eA. We now compute Aa and we know 
from this discussion that eA C Aa- Thus we get two orthogonal component algebras eAa 
and (1 — e)Aa- of Aa- We have from the proof of Lemma [3T] that eAa = {eA)a = eA while 
(1 - e)Aa = ((1 - e)A)a / (1 - e)A (if ((1 - e)A)a = (1 - e)A then a would fix every 
element in A and would be a trivial automorphism). As a result A is not a free module 
over Aa and hence we can find a zero divisor of A using the method of Lemma 12.21 □ 

Subgroup Gq: Let G be a semiregular group of /c-automorphisms of A and let ;B be a 
subalgebra of A- We define Gb to be the subgroup of automorphisms of G that fix B. We 
give below a Galois theory-like characterization of Gg. 

Proposition 3.3. Given a semiregular group G of automorphisms of a commutative 
semisimple algebra A over a finite field k and a subalgebra B of A containing Ac, one can 
find a zero divisor in A in deterministic polynomial time if B ^ -^Gb ■ 

Proof. If ^ is a field extension of k then by Galois theory B = Agb- If |^| < (dimfc A)'^ and 
A is not a field then we can find a zero divisor in A using Berlekamp's deterministic poly- 
nomial time algorithm. So for the rest of the proof we may assume that \k\ > (dim^^)^ 
and then the usual proof of Fact [1] gives a deterministic polynomial time algorithm for 
finding a primitive element x of ^ over k, see [GlOOj . 

Let |G| = d. We may assume that the elements l,x,x'^, . . . , x'^~^ form a free basis of A 
over Ag since otherwise we find a zero divisor in A using the method of Lemma |2.2[ Let 
x'^ = ^flQ ttix' with Oi G Ag and let f{X) := X'^ - ^^Jq a^X^ G Ag[X]. Obviously x is 
a root of f{X) and as any a € G fixes the coefficients of f{X) we get that x'^ is also a root 
of f{X). Again by Lemma [2.21 we may assume that ^ is a ;B-module with {1, x, . . . x"^~^} 
as a free basis, where m := dirriQA. Let x"^ = YIT^^ with bi E B, thus x is a root of 
the polynomial g{X) := X™ - Y.T=o^ biX' G B[X]. 

Let us consider f{X) as a polynomial in As g{X) is monic we can apply the 

usual polynomial division algorithm to obtain polynomials h{X) and r[X] from B{X) 
such that the degree of h{X) is {d — m); the degree of r{X) is less than m and f{X) = 
g{X)h{X) + r{X). We have r{x) = which together with the freeness of the basis 
{1, . . . implies that r{X) = and f{X) = g{X)h{X). We know from the last 

paragraph that for all cr G G, x'^ is a root of g{X)h{X). If neither g{x'^) nor h{x") is 
zero then we have a pair of zero divisors. If g{x°') = then we can perform the division 
of g{X) by {X - x'^) obtaining a polynomial gi{X) e B[X] with g{X) = {X - X'')gi{X) 
and can then proceed with a new automorphism a' £ G and with gi{X) in place of g{X). 
In d rounds we either find a zero divisor in A or two disjoint subsets K, K' of G with 

9{X) = UaeKi^ - ^'') and h{X) = Ua'eK'i^ " x""')- For a e K let <Pa ■ I3[X] ^ A 
be the homomorphism which fixes B but sends X to x'^ . As g{x^) = 0, (pa induces a 
homomorphism from B[X]/{g{X)) to A, which we denote again by (pa. We know that (pi 
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is actually an isomorphism B[X]/ {g{X)) = A, therefore the maps fia- = (j^a ° </']~ (c £ K) 
are i3-endomorphisms of A. Note that we can find a zero divisor in A if any is not 
an automorphism, also by Proposition 13.21 we can find a zero divisor in A if the maps 
Ha (o" G K) generate a non-semiregular group of ;B-automorphisms of A. Thus, we can 
assume that h^, for all a £ K, generate a semiregular group of ^B-automorphisms of A. 
As \K\ = dirriQA this means, by Lemma IXTl that the set {^o-|ct G K} is a group say H. 
We can as well assume that the group of /c-automorphisms of A generated by G and H is 
semiregular, for otherwise we find a zero divisor in A. Again as |G| = diirikA this means, 
by Lemma [STTl that H is a. subgroup of G. Thus, by Lemma [3TT1 [A : Ah] = l-f^l = |^| = 
[A : B\ which together with the fact B < Ah gives Ah = B. As H < Gb we also get 
H = Gb {li H < Gb then [A : Ah] < [A : Agb] < [A : B] which is a contradiction). Thus, 
if none of the above steps yield a zero divisor then B = Ag^- □ 

4 Kummer Extensions and Automorphisms of an Algebra 
over a Finite Field 

In classical field theory a field extension L over k is called a Kummer extension if k has, 
say, an r-th primitive root of unity and L = k{y/a). Kummer extensions are the building 
blocks in field theory because they have a cyclic Galois group. In the previous section we 
developed a notion of semiregular groups to mimic the classical notion of Galois groups, 
now in this section we extend the classical notion of Kummer extensions to commutative 
semisimple algebra A over a finite field k. The properties of Kummer extensions of A, 
that we prove in the next three subsections, are the reason why we can get polynomial 
factoring-like results without invoking GRH. 

4.1 Kummer-type extensions 

We generalize below several tools and results in field theory, from the seminal paper of 
Lenstra [L91J, to commutative semisimple algebras. 

k[Cr] and A^: Let k he a finite field and let r be a prime different from char k. By 
k[Cr] we denote the factor algebra k[X] / (Y^"^'^ X^) and Cr '■= X (mod X][=i "^*)- Then 
k[Cr] is an (r — l)-dimensional A:-algebra with basis {1, Cr, • • • j C"^} ^'^d for every integer 
a coprime to r, there exists a unique A;-automorphism pa of k[(^r] which sends Cr to 
Let Ar denote the set of all pa's. 

Clearly, A,, is a group isomorphic to the multiplicative group of integers modulo r, 
therefore it is a cyclic group of order (r — 1). Note that for r = 2, we have C2 = — Ij 
^[(2] = A and A2 = {id}. 

A[Cr] and A^: Let ^ be a commutative semisimple algebra over k then by A[Cr] we 
denote A 0k k[Cr]- We consider A as embedded into A[Cr] via the map x x 1 and 
k[Cr] embedded into A[Cr] via the map x ^ 1 (X" x. Every element pa of the group A.^ can 
be extended in a unique way to an automorphism of A[Cr] which acts as an identity on A. 
These extended automorphisms of A[C,r] are also denoted by pa and their group by A^. 

Note that if ^ = ^10. • .0 A then^[Cr] = ^i[Cr]©- • -©AKr], thus ^'s semisimplicity 
implies that A[Cr] is semisimple as well. We can also easily see the fixed points in A[Cr] 
of Ar just like Proposition 4.1 of |L91| : 
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Lemma 4.1. .A[Cr]Ar = 



Proof. Observe that A[Cr] is a free .A-module with basis {Cr, - ■ ■ , Cr~^}- As r is prime this 
basis is transitively permuted by A^, thus an x = YllZl liCl ^ ■M.Cr] is fixed by iff a^'s 
are equal iff x S .A. □ 

Consider the multiplicative group w4[Cr]* of units in w4[Cr]- 

Sylow subgroup .A[Cr]r' Let .4[Cr]r be the r-elements of ^[Cr]*- Note that .4[Cr]r is of 
an r-power size and is also the r-Sylow subgroup of the group .A[Cr]*- Let |.A[Cr]*| =: ■ 
Automorphism oj{a): Let a be coprime to r. Observe that the residue class of a''* 
modulo r* depends only on the residue class of a modulo r, because map a ^ 
corresponds just to the projection of the multiplicative group 'L*t — (^r-i, +) © (^^.t-i , +) 
to the first component. This together with the fact that for any x G .A[Cr]*, x^^ = 1 we get 
that the element x° depends only on the residue class of a modulo r. This motivates 

the definition of the map, following [L91], uj{a) : x ^'^^"^ := x""^ from .4[Cr.]* to itself. 
Note that we use the term uj{a) for both the above map as well as the residue of a'^ 
modulo r*. 

Note that the map cj(a) is an automorphism of the group .A[Cr]* and it commutes with 
all the endomorphisms of the group ^[Cr]*- Also, the map a i— > uj{a) is a group embedding 

^ Aut(^[Cr.];). 

Teichmiiller subgroup: Notice that if x G -4.[Cr] has order then x'^^"'' = x"' 
Thus, uj{a) can be considered as an extension of the map pa that raised elements of order 
r to the a-th power. The elements on which the actions of to {a) and pa are the same, for 
all o, form the Teichmiiller subgroup, Tj^^^r, of ^[Cr]*: 

T^,r ■■= {x G A[Cr]r I 3;^" = x'^^"^ for every pa G AJ 

Note that for r = 2, T4^2 is just the 2-Sylow subgroup of A*. 

By [LM] . Proposit ion 4.2, if .A is a field then Tj^^r is cyclic . We show in the following 
lemma that, in our general case, given a witness of non-cylicness of Tj^^r we can compute 
a zero divisor in A. 

Lemma 4.2. Given u,v £ Tj^^j. such that the subgroup generated by u and v is not cyclic, 
we can find a zero divisor in A in deterministic poly{r, log \ A\) time. 

Proof. Suppose the subgroup generated by u and v is not cyclic. Then, by Lemma 12.11 
we can efficiently find a zero divisor z, in the semisimple algebra A,[Cr]) of the form z = 
(u* — ). Next we compute the annihilator ideal I of z in A[Cr] and its identity element 
e, thus / = eA.[Cr]- If we can show that I is invariant under A,, then A^ is a group of 
algebra automorphisms of / which of course would fix the identity element e of /. Thus, 
e is in A.[Cr]Ar and hence e is in A. by Lemma l4.ll so we have a zero divisor in A. 

Now we show that the annihilator ideal I = eA[Cr] of z in A[Cr] is invariant under 
A^. By definition e is an idempotent such that e{u'^ — v'^ ) = 0. Observe that for any 
a G {1, . . . ,r — 1}, we have that (eu^)^^^ ^ = {ev^ )'^*^'* \ Using this together with the 
fact that^^^^;''' G r^,^ we obtain e^'^ {u'' - v'' ) = (e((u")^«' - = (e((M'')^(""') - 

(^8'^a;(a-l)))p, ^ ((g^^)a;(a-l) _ (g^s' )a;(a-l) )p„ ^ QPa ^ Q ^hus, for all O G {1, . . . , r - 1}, 

gPa G / which means that / is invariant under A,,. □ 
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Now we are in a position to define what we call Kummer extension of an algebra A. 

Kummer extension ^[(^r][^/c]: For c G -4,[Cr]* and a power s of r, by -4,[Cr][v^] we 
denote the factor algebra ^[Cr] — c) and ^ :=Y (mod — c). 

Remark. Given c, ci G T^^^ such that the order of c is greater than or equal to the 
order of ci and ci is not a power of c, by Lemma 14. 2^ we can find a zero divisor in A in 
poly{r, log \ A\) time. Therefore, the really interesting Kummer extensions are of the form 
-^[Cr][v^) where c S Tj[^r and Cr is a power of i/c. 

Clearly, ^[Cr][-v^ is a free ^[Cr]-niodule of rank s with basis {1, -v/c, . . . , -v/c^ ^}. If 
c € Tyi^r then is an r-element of ^[CrJlv^]* and for any integer a coprime to r, we now 
identify an automorphism of the Kummer extension. Extending [L91] . Proposition 4.3, 
we obtain: 

Lemma 4.3. Let c £ Ty^^^r- Then we can extend every pa G A.^ to a unique automorphism 
ofA[Cr][</c\ that sends ^ to 

Proof. For a pa G let pa denote the map from ^[Cr][l"] to ^[Cr][v^ that fixes A, sends 
Cr to Cr and Y to (a/c)'^^''). As c G r^,^, Pa maps c to d^^"^ and thus maps (Y* - c) to 
zero. This means that pa can be seen as an endomorphism of ^[Cr][v^ that sends y/c to 
(v^c)'^^'^). Clearly, pb ■ pb' is the same endomorphism as pbb' if b,b' are both coprime to r. 
Now as Pa • Pa-^ = Pi is the identity automorphism of ^[Crliv^c] we get that pa is also an 
automorphism of ^[Cr][v^! completing the proof. In the rest of the paper we will use pa 
also to refer to the automorphism pa- □ 

We saw above automorphisms of the Kummer extension A[C,r\ that fixed A. When 
s = r we can also identify automorphisms that fix ^[Cr]: 

Proposition 4.4. Let c G Tj^^r o-nd A^ be the automorphisms of A[C,r\[\fc\ identified in 
Lemma Then there is a unique automorphism a of A[Cr][\/c\ such that: 

(1) a fixes A[Cr] o,nd maps \/c to C,t^/c. 

(2) a commutes with the action of /S.r- 
lS) a is a semiregular automorphism of A[Cr][^/c\'^r '^f order r and {A[Cr][V^'^r)a- = A. 

Proof. The map fixing A[Cr] and mapping Y to is clearly an automorphism of .A[Cr] [Y] / 
(Y^ — c). Thus implying the existence and uniqueness of a. 

Let Pa G Af. be an automorphism of ^[Cr][\/c]. Clearly, the action of a and pa is 
commutative on any element x G A[Cr]- Also, {^yP" = {CrVcY" = (Cr\/c)'^^") = 
= {{{/c)'^^'''>y = {{/cY'"''. This implies the commutativity of the actions of 

a and A^ on 

From commutativity it follows that (^[Cr][-yc]Ar)'^ = -^[Crli^/clAr; thus a is an auto- 
morphism of A[Cr] [v^ Ar • Let G be the group generated by A,, and a. Then G is a commu- 
tative group of order r(r — 1). As .A[Cr][\/c]G = (-4[Cr][\/c]o-)Ar = -4[Cr]Ar = -^j Lemma lSTT] 
implies that G is semiregular on A[Cr] [\/c]- But then the subgroup A,, is semiregular as well 
and by Lemma [3Tl dim^ ^[^r] [\/c]Ar = dim/; ^[Cr] [-\/c]/| A^l = rdim^.^ = |((t)| dim/j ^. 
This again implies that o" is a semiregular automorphism of ^[Cr][\/c]Ar- n 
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4.2 A and the Kummer extension of Ar, where r G Autk{A) 

In this subsection we show how to express A[Cr] as a Kummer extension of At given a 
semiregular r E 74iit,fc(^) of order r. The Lagrange resolvent technique of |R687] remains 
apphcable in our context as weh and leads to the following: 

Lemma 4.5. Given a commutative semisimple algebra A over a finite field k, a k- au- 
tomorphism T of A of prime order r ^ char k and a root ^ £ Ar of the cyclotomic 
polynomial ■ can find in deterministic poly{r, log |^|) time a nonzero x £ A such 
that x'^ = £^x. 

Proof. Observe that if ^ G ^ is a root of 1 + X + . . . + X^~^ then so is every power 
^* (i = 1, . . . , r — 1). Take an element y £ A \ Ar and compute the Lagrange-resolvents 
for < j < r — 1: 

r-l 
i=0 

It is easy to see that (y,^^) = y + y'^ + . . . + y^"^ ^ G Ar as = id, while X]j=o(?^' ^"') ~ 
+ Ei=i Ej=o ^'^y^' = ry + Ya=i YJ'j^liCy = ry ^ Ar. It follows that for some 
1 < j < (r — 1), {y,i^) Ar, fix this j. In particular, (y,^^) / and taking / := 
(mod r) we find x := {y,^-^)^ is also nonzero as commutative semisimple algebras do 
not contain nilpotent elements. This x is then the element promised in the claim as: 

= {{y,i'Y)' = {CKy.i'))' = ix- □ 

We now proceed to describe an algorithm that given a A;-automorphism r of ^ of prime 
order r, expresses A[C,r\ as a Kummer extension of Ar. 

Embedding Autk{A) in Autk{A[C,i]): Given a semiregular automorphism r of ^ we 
extend r to an automorphism of A[C,r\ by letting Q := Q^.. It is easy to see that the 
extension (denoted again by r) is a semiregular automorphism of A[C,r\ as well and it 
commutes with A,.. 

Application of Lemma [4. 5 1 techniques from [L91] and a careful treatment of cases when 
we find zero divisors, give the following. 

Proposition 4.6. Given a commutative semisimple algebra A over a finite field k together 
with a semiregular k- automorphism r of A of prime order r ^ char k, we can find in 
deterministic poly{\og \ A\) time an element x G T4,r such that x'^ = QrX. 

Any such x satisfies c := x** G Ta^^^ and defines an isomorphism (p : ^T-[^r][\/c] — 
A[Cr] which fixes Ar[Cr]- Also (f) commutes with the action of Ar, therefore inducing an 
isomorphism {Ar[Cr][^/c\) /^r — A. 

Proof. The proof idea is to first apply Lemma 14.51 to find a nonzero x G A[Cr] such that 
x'^ = QrX. Note that this x maybe a zero divisor of .A[Cr], in that case we intend to 
decompose A[C,r\ as much as possible and apply Lemma H3] to each of these components. 
This process is repeated till it yields an y G ^[Cr]* such that y'^ = Cry- Secondly, this y is 
used to form the x and (j) as promised in the claim. 

We maintain: a decomposition of the identity element 1 = = 1^ into orthogonal 

idempotents e,f that are fixed by r; and an element y G (/w4[Cr.])* such that y"^ = 
(for / = we define (/^[Cr])* as (0)). Initially, we take e = 1, / = 0, y = 0. Since r 
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is semiregular its restriction to e^[Cr] has to be nontrivial (as long as e 7^ 0) and hence 
of prime order r. Therefore we can apply Lemma 14.51 with ^ = eCr to find a nonzero 
X G e^[Cr] such that x"^ = {e(^r)x = CrX- Now compute the identity element ei of x^[Cr] 
(which is an ideal of e^[Cr])- Note that x^[Cr] is invariant under r since for all z S -4.[(^r.], 
{xzY = x'^z'^ = Crxz'^ £ xA[Cr]- This makes r an automorphism of a;^[Cr'] and so r fixes 
the identity element ei. We could now replace e with (e — ei), / with (/ + ei), y with 
{x + y) and repeat the above steps. Note that the above one iteration decomposed e^[Cr] 
into orthogonal components (e — ei)^[Cr] and ei^[Cr] and thus the procedure has to stop 
in at most dim/j A[Cr] rounds with e = 0. 

So far we have found an element y £ A[Cr]* with y"^ = (rU- Define |^[Cr]*| =: 
£ ■= |^[Cr]*|/r* and m := (-i)'^ (mod r). Note that i can be calculated from the 
sizes of the simple components of A[Cr] which in turn can be easily computed by using 
the standard distinct degree factorization of polynomials over finite fields. Thus, we can 
compute the element z := y^™. By the definition of £ and y, z £ A[Cr]r and z'^ = 
= Cr'^z. Next compute the element x = UlZliz'^^^^y^^ ■ Note that for all pa £ A^, 
xP'' = lll~l{z'^^"-~^^^'^'^"'y)''a--^b = whence x G r^,^- Also, as r commutes with we 

have x^ = UlZli{Cr'^z)'^''^'^)Pt' = X ■ UlZliiCr^)"'^^^)^^' = iCr'^Y'^x = CrX. Finally, we 
define the c as x"^ . From the properties of x, c G -4,[Cr]r = -^rlCr] and hence c G T^^-.r- 

Let us define the map cp from ^T-[Cr][\/c] to A[Cr] as the one that sends {/c to x 
and fixes ^T-[Cr]- It is obvious from c = x'" that (p is a homomorphism. If (j) maps an 
element Y^lZo ^iiV^Y to zero then X^i=o ajX* = 0. Applying r on this j times gives 
Yll=o O'iC^x^ = (remember r fixes ^r[Cr] and hence Oj's). Summing these equations for 
all < j < (r — 1) we get ag = 0, as 2; is invertible this means that (j) maps Yll=i cax^^^ to 
zero. We can now repeat the argument and deduce that a^'s are all zero, thus cj) is injective. 
Using that x G T^ ,., it is also straightforward to verify that (j) commutes with A^ (viewed 
as automorphisms of "4.[Cr] [\/c])- Thus it remains to show that (/> is surjective. To this 
end let B denote the image of (j). Then B is the subalgebra of A[C,r\ generated by ^rlCr] 
and X, thus B is r-invariant. Suppose we can show r semiregular on B. Then by Lemma 
13.11 dimfciS = rdimfc;^,-, this together with B^ containing ^riCr] and the injectivity of 
means that dim^B > r dimi^ AriCr] = f dimf^ A[Cr]T which is further equal to dim/;^[(^r] 
as r is semiregular on w4[Cr]- Thus, dim^ ;B > dimfc^[(^r] which obviously means that is 
indeed surjective. 

It remains to prove the semiregularity of r on B. Assume for contradiction that / is a 
nonzero ideal of B such that r fixes / and e be the identity element of I. Then (exY = ex. 
On the other hand, as e"^ = e and x'^ = (rX, we have (ex)'^ = (^^ex. Combining the two 
equalities we obtain that (ex)(Cr — 1) = 0. Note that if r = 2 then char k > 2 and (Cr — 1) 
is not a zero divisor and if r > 2 then A[Cr] is a free ^-module with basis {1, . . . , Cr~^}- 
Thus, x(Cr — 1) is invertible in all cases, implying e = which is a contradiction. Thus r 
is indeed semiregular on B completing the proof that (j) is an isomorphism. □ 

4.3 Zero Divisors using Noncyclic Groups: Proof of Application 2 

In this part we prove Application 2 by proving the following stronger result. 

Theorem 4.7. Given a commutative semisimple algebra A over a finite field k together 
with a noncyclic group G of k- automorphisms of A (in terms of generators), one can find 
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a zero divisor in A in deterministic polynomial time. 

Proof. Notice that since G is noncyclic, the algebra A is certainly not a field and zero 
divisors do exist. We assume that G is semiregular otherwise we can efficiently find a zero 
divisor in A by Proposition 13.21 We can also assume that |G| is not divisible by char k 
otherwise char k < \G\ < dim^^A and Berlekamp's deterministic algorithm for polynomial 
factoring can be used to find all the simple components of A. 

As G is a small group of size dim^ A, we can list all its elements of prime order. The 
proof now proceeds by analyzing the Sylow subgroups of G and showing them all cyclic 
unless they yield a zero divisor of A. For every prime divisor r of |G| let 11,. be the set of 
elements of G of order r and let Pr be an r-Sylow subgroup of G. For every o" E we 
can use Proposition 14.61 to compute an element Xq- G T_A^r with = (rXa- Let Hj- be the 
subgroup of T_A,r generated by {xo-|o" € 11^}. 

We can assume to be cyclic or else we can find a zero divisor in A by Lemma |4.2[ 
So choose an element x £ {xalcr £ n^} such that j; is a generator of Hf. Now for any 
cr € G, as x'^ is again in T^^n we can assume x'^ G Hr for otherwise we can find a zero 
divisor by Lemma l4.2[ Thus, Hr is G-invariant and G acts as a group of automorphisms 
of Hr. As every element of Pr of order r moves some element in Hr, there is no nontrivial 
element of Pr acting trivially on Hr, thus Pr intersects trivially with the kernel Kr of the 
restriction homomorphism G Aut{Hr). Since Hr is cyclic, its automorphism group is 
Abelian. The last two observations imply that G/Kr is an Abelian group with a natural 
embedding of Pr — > G/Kr = Aut{Hr). Thus the normal series Kr <\ G can be refined 
to Kr < Nr <\ G such that \Pr\ = \G/Nr\. Since we have this for every r dividing it 
follows that G is a direct product of its Sylow subgroups. Also, as each Pr is Abelian, G 
is Abelian. Moreover, since the automorphism group of a cyclic group of odd prime-power 
order is cyclic, Aut{Hr) is cyclic and finally Pr is cyclic, for every odd prime r||G|. 

It remains to show that we can find a zero divisor efficiently if the 2-Sylow subgroup 
P2 of G is not cyclic. To this end we take a closer look at the subgroup H2 constructed 
for the prime r = 2 by the method outlined above. It is generated by an element x, 
contains —1, and P2 acts faithfully as a group of automorphisms of H2. If \H2\ = 2^ then 
Aut{H2) = As P2 injectively embeds in Aut{H2) and P2 is noncyclic we get that Z*j, 
is noncyclic, implying that k > 2 and structurally Z*^ is the direct product of the cyclic 
groups generated by (—1) and (5) modulo 2^ respectively. Now any noncyclic subgroup 
of such a Z*j. will have the order 2 elements: (—1) and 5^ = {2^~^ + 1). Thus, P2 has 
the maps ai : x ^ x~^ and (T2 : x 1— > x^*" = —x. Since ai and a2 commute, A^^ is 
c72-invariant. As the group (o"i,o"2) is of size 4 while the group (cti) is only of size 2 we 
get by the semiregularity of G that the restriction of a2 to Aai is not the identity map. 
Hence, by Proposition 14.61 we can find an element y G Tj(^ ^2 such that y'^'^ = —y. We 
can assume that the subgroup of A* generated by x and y is cyclic as otherwise we find 
a zero divisor by Lemma l4.2i However, as x A^^ while y G Aa^, it can be seen that: 
(x,y) is a cyclic group only if y E (i.e. y is square of an element in H2). But this is a 
contradiction because (T2 fixes This finishes the proof. □ 

Now we can give a proof of Application 2. Let r be a positive integer such that the 
multiplicative group Z* is noncyclic and let <pr{x) be the r-th cyclotomic polynomial. 
We can assume r to be coprime to char k as otherwise we factor (/>r(x) simply by using 
Berlekamp's algorithm for polynomial factoring. Define A := k\x\/ {(j)r{x)), it is clearly 
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a commutative semisimple algebra of dimension (j)(r) over k. Moreover, if E A; is a 
primitive r-th root of unity then: (prix) = HiGZ* ~ O- This imphes that for any i G Z*, 
4>r{x)\(f>r{x'') and if for a g{X) G k[X], (f)r{x)\g{x'^) then (f>r{X)\g{X) as well. In other 
words for any i coprime to r the map pj : x — > is a A;-automorphism of A. Consider 
the group G := {pi\i G Z*}, it is clearly isomorphic to the multiplicative group Z*, which 
is noncyclic for our r. Thus, G is noncyclic and we can find a zero divisor a{x) G ^ by 
Theorem 14.71 Finally, the gcd of a{x) and (prix) gives a nontrivial factor of (prix)- 

Rational polynomials known to have small but noncommutative Galois groups also 
emerge in various branches of mathematics and its applications. For example, the six roots 
of the polynomial Fj{X) = {X'^ — X + 1)'^ — ■^X'^{X — 1)^ are the possible parameters 
A of the elliptic curves from the Legendre family Ex having prescribed j-invariant j, see 
|Hu86] . (Recah that the curve Ex is defined by the equation = X{X - 1){X - X).) 
The Galois group of Fj{X) is S^, whence Theorem 14.71 gives a partial factorization of the 
polynomial Fj[X) modulo p where p is odd and j is coprime to p. 

4.4 Extending Automorphisms of Ar to A, where r G Autk{A) 

Lemma 4.8. Given a commutative semisimple algebra A over a finite field k, a k- auto- 
morphism T of A and a k- automorphism jj, of Ar- Assume that the order of t is coprime 
to char k. Then in deterministic poly {log \A\) time we can compute either a zero divisor 
in A or a k- automorphism fi' of A that extends fi such that A^i = {Ar)^- 

Proof. Suppose that the order of r is ri---rt, where rj's are primes (not necessarily 
distinct). Cleary it is sufficient to show how to extend p from A^ri---Ti_-^ to A-j- {or 
find a zero divisor during the process). We can therefore assume that the order of r is a 
prime r. We may also assume that both r and /i are semiregular since otherwise we can 
find a zero divisor in A by Proposition 13.21 We work in the algebra .A[Cr]- We extend r 
to A[C,r\ and p to ^r[Cr] in the natural way. By Proposition 14.61 we can efficiently find 
X G Tji,^r such that x'^ = C,rX. Clearly, c := G T^^^,. and c^ G Tj^^^r- The elements c and 
c'^ have the same order. If c'^ is not in the cyclic group generated by c then by Lemma [4. 21 
we can find a zero divisor in A. So assume that c^ is in the cyclic group of c, in which case 
find an integer j coprime to r such that = c^ using Lemma [2.11 Note that by Lemma [4.21 
we can also find a zero divisor in A in the case when is not a power of c, so assume that 
Cr = and compute this integer L Then Cr = Cr = {c^Y — {c^Y = c'^ = Cr, and hence 
j = 1 (mod r). We set x' := xK As x"^ = QrX and x''^ = Crx' , by the proof of Proposition 
14.61 there are isomorphism maps (p '■ -4r[Cr][\/c] A[Cr] and (p' : At[Cj-][\^] A[Cr] 
sending \/c to x and {/d^ to x' respectively; both fixing ^^-[(^j.]. We can naturally extend 
jj, to an isomorphism map /i" : .AT-[Cr] [\/c] — > .AT-[Cr]['\/c'^]- Then the composition map 
n' ;= (p' o o cp^^ is an automorphism of A[Cr] whose restriction to .4r[Cr] is /U. As fi", (p 
and (p' commute with A^, so does p' . Therefore A = ^[Cr]Ar is /u'-invariant and we have 
the promised fc-automorphism of A. □ 

4.5 Zero Divisors using Galois Groups: Proof of Apphcation 3 

If the input polynomial f{x) G has a "small" Galois group then can we factor /(x) 
modulo a prime pi This question was studied in |R689b| and an algorithm was given 
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assuming GRH. In this subsection we give a GRH-free version. We start with the following 
unconditional and generalized version of Theorem 3.1. in [R689b] : 

Theorem 4.9. Assume that we are given a semiregular group G of automorphisms of a 
commutative semisimple algebra A over a finite field k with Ac = k and a nonzero ideal B 
(with k embedded) of a subalgebra of A. Then in deterministic poly{log\A\) time we can 
either find a zero divisor in B or a semiregular k- automorphism a of B of order dim^^S. 

Remark. Here B is an ideal of a subalgebra of A, thus it is not assumed that 1^ G B. 

Proof. The idea of the algorithm is to find a nontrivial ideal / of .A and then reduce the 
problem to the smaller instance /. 

If G is noncyclic then using Theorem 14.71 we can find a nontrivial ideal / of A. If G is 
cyclic then using Proposition 13.31 we can find either a nontrivial ideal / of „4 or a subgroup 
H oi G with B = Ah- In the latter case H is trivially a normal subgroup of G and the 
restriction of any generator o" of G will generate a semiregular group, of A;-automorphisms 
of B, isomorphic to G/H. Thus, we get a semiregular A;-automorphism of B of order 
\G/H\ = dimfciS. 

Let us assume we have a nontrivial ideal / of A. Then, using the method of Lemma 
12.31 "^6 find an ideal J of ^ such that the ideals S G} are pairwise orthogonal or 

equal. By the hypothesis Ac = k, G acts transitively on the minimal ideals of A, thus the 
group Gi := {a £ G\J^ = J} acts semiregular ly on J and for coset representatives G of 
G/Gi: A = (BaGcJ^ ■ Also, note that for all o" G C the conjugate subgroup := a~^Gia 
acts semiregularly on J'^ . We can find a zero divisor in B if the projection of B to some 
J"^ is neither the zero map nor injective. Thus we assume that there is an ideal J'^ such 
that the projection of ^ onto J"" injectively embeds B. In that case we reduce our original 
problem to the smaller instance - instead of A, GJ instead of G and the embedding of 
B instead of B - and apply the steps of the last paragraph. □ 

The following Corollary gives the proof of a slightly stronger version of Application 3. 

Corollary 4.10. Let F(X) G ^[X] be a polynomial irreducible over <Q with Galois group 
of size m; let L be the maximum length of the coefficients of F{X); let p be a prime 
not dividing the discriminant of F{X); let f{X) := F{X) (modp); and let g{X) be a 
non-constant divisor of f{X) in ¥p[X]. Then by a deterministic poly {m, L, log p) time 
algorithm we can find either a nontrivial factor of g{X) or an automorphism of order 
degg of the algebra¥p[x\/{g{x)). 

Proof. The assumption on the discriminant implies that the leading coefficient of F{X) 
is not divisible by p, and wlog we can assume F{X) to be monic. Also assume that 
p > as otherwise we can use Berlekamp's deterministic algorithm for factoring /(x) 
completely. Now using the algorithm of Theorem 5.3. of |R689bj . we compute an algebraic 
integer a := x (mod H{x)) generating the splitting field Q[x]/{H{x)) of F{X) such that 
the discriminant of the minimal polynomial H{X) of a is not divisible by p. Define 
A := 'Z[a]/{p) and using the method described in Section 4 of |R689bj . we efficiently 
compute a group G of automorphisms of A which is isomorphic to the Galois group of a 
over rationals. 

Let P G Q[x]/{H{x)) be a root of F{X). Then (3 = Y.7=q^ o^a* for some Oj G Q. From 
Proposition 13 of Chapter 3 in [LaSOj . for every < i < m, can be written in the form 
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Oj = Ti/qi, where r^, G Z and qi is coprime to p. Compute ti £ Z with tiqi = 1 (mod p). 
Then P' := X^^q^ Vitio' is in Z[a] and the minimal polynomial of the element /3 := (3' 
(mod p) G ^ is f{X). Let C be the subalgebra ¥p[(3] contained in A. Notice that C is 
isomorphic to the algebra ¥p[x]/{f{x)). Let B be the ideal of C generated by f{(3)/g{l3). 
Then B is isomorphic to the algebra ¥p[x]/{g{x)) and hence a zero divisor of B will give 
us a factor of g{X). So we run the algorithm described in Theorem 14.91 on G,A,B and 
get either a factor of g{X) or an automorphism of B of order dimFp B , thus finishing the 
proof. □ 

5 Finding Automorphisms of Algebras via Kummer Exten- 
sions 

In this section we complete the proof of our main Theorem, i.e. given a commutative 
semisimple algebra A over a finite field k we can unconditionally find a nontrivial k- 
automorphism of A in deterministic subexponential time. The proof involves computing 
tensor powers of A, whose automorphisms we know, and then bringing down those auto- 
morphisms to A. Before embarking on the proof we need to first see how to bring down 
automorphisms using Kummer extensions; and define notions related to tensor powers of 
A. 

5.1 Bringing Down Automorphisms of I? to ^ < P 

We do this by using Kummer extensions, so we first show how to embed a Kummer 
extension of A into the cyclotomic extension of D. 

Lemma 5.1. Let A<T) he commutative semisimple algebras over a finite field k and let 
r / char k he a prime. Then for any x S T^^r \ A[C,r\ satisfying c := x^ £ A[Cr], there is 
a unique ring homomorphism (p : AlCrji^/c] — > ^?[Cr] that fixes A[Cr], maps {/c to x and: 

(1) (p commutes with the action of Ar, thus (piA[Cr][y/c]Ar) ^ ^• 

(2) (j) is infective if and only if its restriction to A[Cr\[^/c\Ar is injective. 

(3) If (j) is not injective then we can find a zero divisor of D in deterministic polynomial 
time . 

Proof. The existence and uniqueness of the homomorphism (j) are obvious: the map from 
^[Cr][^] to V^r] which sends X to x factors through ^[Cr][\/c]. 

As X G T-D-r, for every pa G we have (/>((</c)''") = i»((</c) = x'^^"') = ((/)(</c))''''. 
On the other hand, for every u G A[Cr] we have cj){uY"- = n''" = </)(«''"). As A[C,i] and 
(a/c) generate ^[Crli-^c]? the two equalities above prove that (j) commutes with the action 
of Ar. As a consequence, (A(-^[Ct-] [\/c]Ar) ^ ^[Cr]A^ = ^• 

Since the elements Cr)---)Cr~^ form a free basis of I'[Cr] as a P-module, the sub- 
spaces QT) of P[Cr] = 0, ... ,r — 2) are independent over k. This means the images 
(/)(Cr(^[Cr] [\/c]Ar)) are independent as well thus, dim^ 0(^[(^r][-(/c]) = (r — 1) dim^ 0( 
^[Cr][\/c]Ar)- This together with the fact dimjt = (r— 1) dim^ ^[C^] [\/c]Ar means 

that (/> is injective if and only if its restriction to ^[Cr][\/c]Ar is- 

To see the last assertion assume that (/>, and hence its restriction to C := ^[Cr][-\/c]Ar! 
is not injective. We compute the kernel / of (j)\c, clearly / is a nonzero ideal of C. Let a 
be the semiregular fc-automorphism of C investigated in Proposition 14.41 which also tells 
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us that dirrifcC = rdinifc^. Assume that (/)(C) =: V. We compute J := {u £ C\ul = 0}, 
the ideal complementary to I so that C = I ® J . Note that by the definition of I, the 
restriction of </) to J yields an isomorphism J = T>' . Hence finding a zero divisor in J 
implies finding a zero divisor in D. Let ej be the identity element of J, then as (p fixes 
A, for all a G a = (j){a) = (j){eja), in other words (j) induces an isomorphism ejA = A. 
Using this we now show that the action of o" on J yields a zero divisor in J. 

Firstly, we claim that for all 1 < i < (r — 1), J ^ J'^\ Suppose for some 1 < 
i < (r — 1), J"^' = J and cr' fixes J, then J C C^i = A. This together with the fact 
that injectively embeds ^ in J gives J = A, which implies that (j){C) = A, thus 
0(^[Cr][-yc]) = 0(C[Cr]) = A[Cr] Contradicting x ^[Cr]- The other case then is: for some 
1 < i < {r — 1), J'^ = J and the restriction of cr* to J is a semiregular automorphism 
of order r of J, therefore dim/; J = r dim^, J^i > r dim^ ejA = r dim^ A (as a* fixes A it 
has to fix ejA), which contradicts to dim^ J < dim^C = rdim^^. Secondly, we claim 
that for some z G {1, . . . , r — 1}, J n J""^ ^ 0. Indeed, assuming the contrary, we would 
have J'^^ n J^^ = {J n J""^ ''Y^ =0 whenever i ^ j (mod r), whence the J*^' would be 
pairwise orthogonal ideals, whence dim^ J = ^ dim^ X]t=o — r ^ ~ dim^ A. This 
together with the fact that injectively embeds ^ in J gives J = A, which implies that 
(j){C) = A, thus (/>(^[Cr][\/c]) = (/)(C[Cr]) = A[Cr] Contradicting x ^[Cr]- 

From the above two claims we get an i £ {1, . . . ,r — 1}, for which J ^ and 
J r\J"^ 7^ 0, whence by the method of Lemma [2 .31 we get a zero divisor of J, thus finishing 
the proof. □ 

Now we show the main result of this subsection: bringing down automorphisms of T) 
io A<V. 

Proposition 5.2. Given a commutative semisimple algebra D over a finite field k, its 
semiregular k- automorphism r of prime order r ^ char k, a subalgebra Ad k ofD such 
that ^ is an integer not divisible by r. Then we can find in deterministic polyilog 
time either a zero divisor in A or a subalgebra C < A together with a semiregular auto- 
morphism t' of C of order r such that Cr' > At{-= A H Pt)- 

Proof. We use the method of Proposition 14.61 to find an element x £ Td^^ such that 
x"^ = QrX. If X S A[C,r] then we define C := v4.T-[Cr][2^]A,. • As r fixes Cr while fixes V, 
T commutes with A^. Thus, Cr = (.4.T-[Cr][2;]r)Ar = -^riCrjAr = -^r- This means that we 
have the C and the r' := t\c as promised. On the other hand if x A[Cr] then we claim 
that we can find a zero divisor in T>, decompose T> into a direct sum of orthogonal ideals 
and construct the C and the r' in one of the ideals recursively. 

Say X -4,[Cr], then since x*" = lx> £ A for some integer t > 0, we can choose a 
y £ {x, x'', x** , . . .} such that y A[Cr] but c' := y^' £ A[Cr]- By Lemma [5T| we can find a 
zero divisor in V unless .A[Cr][Vc'] is isomorphic to the subalgebra .A[Cr][y]- In the latter 
case Vq := A[Cr][y] Ar < is a free .A-module of rank r, by Proposition 14.41 Comparing 
dimensions it follows that P cannot be a free Po-module, therefore we can find a zero 
divisor z in Dq by Lemma 12.21 Thus, whenever x ^[Cr], we can find a zero divisor z in 
V. 

We proceed with computing the ideal of V generated by z and using Lemma [231 obtain 
a T-invariant decomposition of P into the orthogonal ideals Ii, . . . ,It- For 1 < j < t, we 
denote by cpj the projection V Ij. We can assume that for all j, (j)j\A is injective as oth- 
erwise we find a zero divisor in A and let E C {/i, . . . , J^} be a set of representatives of all 
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the r-si/pd nrbits nf r We have ^™hT> _ sr^t dimfc Ij _ '^™fc _l ^ V ^ 

lae r sizea otdks oi r. vve nave ^^^^^^ - 2^j=i dimfc^ - ^^j=h dimkA +^ l^l^eE dimkA' 

from which we infer that the first sum is nonempty and includes at least one term not 

divisible by r, therefore we can choose an index j such that Ij is r-invariant and r / ^.^^ . 

So we can proceed with Ij and cpjA = ^ in place of V and A respectively in the algorithm 

described above. 

The process described above stops when either we find a zero divisor in A or an element 
X G r4',r with x'^ = (rX, where = ^ is the image of A under the projection i;^ of P to 
some r-invariant ideal I. In the latter case we compute the subalgebra C := A'^[Cr][x]Ar- 
Finally put C := cp'^iC) and t' := (j) ^ o T o (j). Notice that, if ej is the identity element 
of / then T will fix e/ and (f) : D ^ I will just be the homomorphism d i— > e/d, thus r 
commutes with (j). Consequently, 0^' = 0~^(C^) = cl)~^{A'^) > At- □ 

5.2 Essential Part of the Tensor Power 

Let ^ be a commutative semisimple algebra over a finite field k. Let B be its subalgebra 
such that k B and ^ be a free module over B of rank m. If char k < rm? then 
polynomial factorization can be done in deterministic time by Berlekamp's algorithm and 
consequently, all our results can be obtained easily. So we assume from now on that 
char k > m?. But then we can also assume that ^ is a simple extension algebra of B and 
find a primitive element a by running an algorithmic version of Fact [T] (if this "fails" then 
it gives a zero divisor of A). If g{X) G B[X] is a minimal polynomial of a then we have 

that A = B[X]/{g{X)). 

It was shown by Ronyai [R687| that, under GRH, a zero divisor in A can be found in 
time poly{{(i\m.k ^)'^', log if r is a prime divisor of dim^ A. In this section we extend the 
method of |R687j and obtain a GRH-free version that will be crucial in the proof of Main 
Theorem. A key idea of Ronyai was to work in the essential part of the tensor powers of 
A. Before going to the formal definition of it we give a motivating definition assuming 
A = k[Xi]/ [f {Xi)), the essential part of A®'''^ := A®k A is its ideal isomorphic to the 
algebra: 

k[Xi,X2]/{f{Xi),h{Xi,X2)), where f2{Xi,X2) := G ^[^2]. 

Similarly, we can write down an expression for the essential part of A®''^' inductively, as a 
factor algebra of k[Xi^ . . . , X^]. 

Functional interpretation of tensor powers: Let a commutative semisimple A 
be a simple extension algebra over B ^ k such that A = B[X]/{g{X)) and g{X) G B[X] 
is a monic polynomial of degree m. Let r < m. We consider the r-th tensor power A®'^'^ 
{A tensored with itself r times wrt B). To define (and compute) the essential part of this 
tensor power it is convenient to interpret ^ as a collection of functions V ^ B that are 
expressible as a polynomial over B (called B -polynomial functions), where B := k ®k B \s 
the algebraic closure of B and V <Z B \s a. set of roots of g{X). If B is not a field then 
there are various possibilities for V and we need one with ni)ey(^ — v) = g{X). Such a 
V clearly exists by the definition of the algebraic closure. This functional interpretation 
of A generalizes to A®bA, which now becomes the set of all ;B-polynomial functions from 
the set V xV to B and finally A®'^^ is the set of all ;S-polynomial functions from the set 
y to B. Note that in this interpretation a rank 1 tensor element hi® ■ ■ ■ ® hr in ^®b^ 
corresponds to the function ^ B that maps (vi, . . . , f^) 1— > hi{vi) ■ ■ ■ hr{vr) ■ 
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Essential part of tensor powers: The essential part ^^s'' of ^j^e subset 

of functions tliat vanish on all the r-tuples (vi, . . . ,Vr) that have Vi = Vj for some i ^ j. 
It can be seen that A^'^'^ is an ideal of A'^'^'^ . We show below that given a basis of A over 
B we can directly compute a basis for ^®b»' over B. 

Lemma 5.3. A basis for A^'^^ over B can be computed by a deterministic algorithm in 
time poly{m^, log |.A|). 

Proof. Consider embeddings fii of A into = 1, . . . , r) given as /Xj (a) = 1 . . . 

IC^a®!*^-..®! where a is in the i-th place. In the interpretation as functions, fii{A) 
correspond to the ;B-polynomial functions on which depend only on the ith element in 
the tuples. Observe that the set, for 1 < -i < j < r: 

= {be A^'^'' I (/ii(a) - fij{a))b = for every a e A} 

is the ideal of A'^'^^ consisting of the ;S-polynomial functions which are zero on every tuple 
{vi, . . . , Vr) with Vi 7^ Vj. Given a basis for A, a basis for A^j can be computed by solving 
a system of linear equations in time (counting /c-operations as unit time) polynomial in 

dimfc A^'^^ = rrf dim^ B. Finally, notice that A®'^^' can be computed as well since it is the 
annihilator of Yl,i<i<j<r ^ 

Automorphisms of the essential part: The symmetric g roup Sf acts as a group 
of automorphisms of A®'^'^ . The action of vr G is the i3- linear extension of the map 
hi ® ■ ■ ■ ® hr ^ ^7r(i) ® ■ ■ ■ ® h^(^r) ■ This action is not semiregular on the tensor power 
algebra as it fixes the set Iq of S-polynomial functions on that are zero on all the points 

\ {{v, . . . ,v)\v £ V}, where Iq can be seen to be an ideal of A'^'^^. However, the ideal 
A®Br ig invariant under this action and on it Sr acts semiregularly. 

Embedding A in the essential part: A can be embedded into A'®'^^ by sending 
h^G^ to /i ly^ • • • eg) 1^. Composing this embedding with the projection onto ideal 
A'^Bi" (which exists by the semisimplicity of the tensor power) we obtain an embedding of 
A in A^"". ^ 

Note that the ideal A^^f ig a free ;B-module of rank m • • • (m — r + 1). Denoting the 
above embedding of A also by A^ if r is a prime divisor of m then m • • • (m — r + l)/m = 
dimfc .A®B'^/ dinifc ^ is not divisible by r and we can apply Proposition 15.21 with A®'^'^ 
as T) and the cyclic permutation (1 . . .r) as r. This immediately gives us the following 
GRH-free version of the result of |R687j : 

Theorem 5.4. Let B be a subalgebra of a commutative semisimple algebra A over a finite 
field k such that k C B; let A be a free B-module of rank m; and let r be a prime divisor 
of m. Then in deterministic poly {rn^ , log \ A\) time one can either find a zero divisor in A 
or compute a subalgebra C of A together with a semiregular automorphism r of C of order 
r such that Cr > B. 

In the proof of Main Theorem we will need one more property of the essential part of 
the tensor square. 

Left and Right Mappings: Note that there are two ways to map A into an ideal 
I <A either by first embedding A into A (8>e Ahy h hi^l or hy first embedding 
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A into A A hj h 1-^ 1 h, and then projecting to the ideal / (which is also an ideal 
A^B A). The former we call the left mapping while the latter the right mapping (of A 
into /). 

We will now show that these two mappings of A into I < A li^B A are quite different if 
/ is large enough. 

Lemma 5.5. Let m := dimsA and I be a nonzero ideal of A 0b A. Let ti : A ^ L be the 
left mapping of A while T2 be the right mapping of A into L. Then there exists an element 
X €z A such that ti{x) ^ T2{x). Furthermore, if dimj.L / dimj. B > m then ti{A) ^ T2{A). 

Proof. To see the first statement observe that A (^b A is the ideal of A(^bA generated by 
the set of elements {xCgil — l(8>x|xG A], see Lemma 15.31 It follows that / (as an ideal) 
is generated by the elements {ti(x) — T2{x)\x G A\. Consequently, if ti(x) — T2(x) = for 
all x G ^ then / = 0. 

To see the second assertion, note that as / is an ideal of the essential part of the 
semisimple A®bA, there is a natural projection (j) : A®bA — > /. Then ti{A) = 0(^(8)01) 
and T2{A) = (t){l(^B~^)- From this and from the fact that A®b'^ and 1®bA generate A®bA 
we infer that ti{A) and T2{A) generate I. As d\m.kTi{A) < dim^j^ = mdim/^B < dim^ /, 
this excludes the possibility of ti{A) = T2{A). □ 

5.3 Proof of Main Theorem 

We now prove the following slightly stronger version of Main Theorem. 

Theorem 5.6. Given a commutative semisimple algebra A over a finite field k and a 
subalgebra B ^ k of A such that A is a free B-module of rank m. Then in determin- 
istic poly{rn}"^^ ,\og\A\) time one can either find a zero divisor in A or a semiregular 
automorphism a of A of order m with Aa = B. 

Proof. We may assume that char k > rn^ as otherwise using Berlekamp's factoring algo- 
rithm we can completely decompose A into simple components. 

If m is even then using the algorithm of Theorem 15.41 we either find a zero divisor 
in ^ or a subalgebra C < A together with a semiregular automorphism gq of C of order 
2 with C(jQ > ;B in deterministic polynomial time. In the former case we are done while 
in the latter case we make two recursive calls: one on the pair {A,C) and the other on 
the pair {Ca^^B). This way we either find a zero divisor in A or we find a semiregular 
automorphism o"i of A satisfying A^^ = C as well as a semiregular automorphism a2 of 
Co-Q satisfying (Cctq)(J2 = B. In the former case we are done while in the latter case we 
apply the algorithm of Lemma 14.81 two times to construct a from co, cJi, cr2. This finishes 
the even m case. 

Assume for the rest of the proof that m is odd. We outline here the overall fiow of 
the algorithm. We work in the algebra A' := A(^bA and B' := (t)i{A) where, and 
02 are respectively the left and right embeddings of A into A' . During the course of the 
algorithm we maintain a nonzero ideal L <A' with B' embedded in it. Any time we find 
a zero divisor in I we replace / with either the ideal generated by the zero divisor or its 
complement, depending on which has smaller dimension. We can assume the new ideal 
to be a free module over an embedded B' as otherwise we can find a zero divisor in B' 
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( equivalent ly in A). Note that the rank of the new ideal over the embedded B' is at most 
half of the original one. Initially I = A' and it is a free ;S'-module of even rank (m — 1) 
and so we can apply the recursion outlined in the second paragraph of this proof. In this 
way at any stage we either find a smaller ideal of I or a semiregular automorphism a of 
/ such that /(J = eiB' = B', where e/ is the identity element of /. In the former case we 
replace / by the smaller ideal (with an embedded B') and apply recursion which again 
either finds a zero divisor (and hence a smaller ideal) or a ^B'-automorphism of the new 
ideal. 

The recursion outlined above halts either with a zero divisor found in B' (equivalently 
in A) or with a semiregular automorphism a of an I < A' such that 1^ = ejB' = B' . In 
the former case we are done while the latter case is what we handle now. Let ti : A ^ I 
mapping a i— > ei(f)i{a) be the embedding of A into /. Look at the homomorphism T2 : 
A ^ I that maps a e/</)2(a). It is a nonzero homomorphism as T2(1) = e/ 7^ 0. So we 
can assume T2 to be an embedding of .A in / as well or else we get a zero divisor in A 

If a is trivial, i.e. / = ejB' = B' = A, then fi := t^^ti is a nontrivial ;S-automorphism 
of A by the first part of Lemma 15. 5i If ^ is not semiregular then we can find a zero 
divisor by Proposition 13.21 while if /i is semiregular then we can apply recursion to the pair 
{A^,B), find an automorphism of Ai_i and finally extend it to a promised automorphism 
of A by Lemma 14.81 

So let us assume that a is nontrivial, i.e. I > 1^ = ti{A), thus rk^j(g)/ > m. Then we 
define B" := T2{A) and apply recursion to the pair {I,B"). We either find a zero divisor 
of / or obtain a semiregular automorphism a' of / with /g-' = B" . In the former case we 
can proceed with a smaller ideal of / or finish with a zero divisor of B" and hence of A, 
so the latter case of having a a' is what we think about now. We can assume that a and 
a' commute as otherwise we can find a zero divisor of / by the algorithm of Theorem 14.71 
and proceed with recursion. Thus, Ig-' is cr-invariant and 1^ is cr'-invariant. Thus both a 
and a' can be viewed as automorphisms of T2{A) and ti{A) respectively. If both these 
actions are trivial then ti{A) = = {Ia)a' = ila')a = la' = T2{A), which contradicts the 
second statment of Lemma 15.51 Thus one of them is nontrivial, wlog say cr is a nontrivial 
automorphism of T2{A). Then /x := Tg" aT2 is a nontrivial automorphism of A. Again we 
can either find a zero divisor of A or proceed with a recursion to the pair {A^, B), getting 
a promised automorphism of A by the algorithm of Lemma 14.81 

To see the dominating term in the time complexity observe that in any recursive call 
on some pair, say C, V with d := ickxiC, if d is odd then we need to go to the tensor square 
of C wrt P. Thus we need to then work in an algebra of rank d times the original rank. As 
we start with rank m we have d < m and as the rank d is at least halved in the subsequent 
recursive call (if there is one), we deduce that the algorithm works at all times in an 
algebra of rank (over B) at most m^"^"*. It is then routine to verify that the algorithm 
requires in all just poly{m}°^^) many ^B-operations, which proves the time complexity as 
promised. □ 

To finish the proof of Main Theorem, apply the process described in the above Theorem 
to B = k. If it yields a zero divisor z of A then the ideal / := Az and its complementary 
ideal I"*" give a decomposition of ^ = / © 7"*" . If e/ is the identity element of I then we 
can repeat the process now with A replaced by ejA = / and B replaced by e//c = k. Thus 
after several iterations based on Theorem 15.61 we get the direct sum decomposition of A 



26 



together with automorphisms as promised in Main Theorem. 

6 Noncommutative Applications 

In this section we show that given a noncommutative algebra A over a finite field we can 
unconditionally find zero divisors of A in deterministic sub exponential time. The idea 
is to compute a commutative subalgebra D of A, find an automorphism of D using the 
algorithm described in Theorem 15.61 and finally construct a zero divisor of A using this 
automorphism. 

Preprocessing: Let ^ be a finite dimensional noncommutative algebra over a finite 
field k. If ^ is not semisimple then we can compute the radical of A, by the deterministic 
polynomial time algorithm of jR690t ICIW96] . and get several zero divisors. So we can 
assume that A is semisimple. We can efficiently compute the center C oi A {C is the 
subalgebra having elements that commute with all elements in A) by solving a system 
of linear equations. By the Artin-Wedderburn Theorem (see Fact [4]) we know that if 
Ci, . . . ,Cr are the simple components of C then, structurally, A = 0[=i MmXCi), where 
Mm{R) stands for the algebra of all m x m matrices over the A;-algebra R. Note that if the 
mj's are not all the same then A would not be a free module over C and hence we can find 
a zero divisor in C by Lemma \T2[ So we can assume A = Mm{Ci) = Mm{®l=iCi) = 

Mm{C). Thus the hard case is to find a zero divisor in an algebra isomorphic to Mm{C), 
this is what we focus on in the remaining section. We identify C with the scalar matrices 
in M^{C). 

6.1 Automorphisms of a Commutative Semisimple Subalgebra of Mm{C) 

Note that for any invertible matrix A there is a natural automorphism of the full matrix 
algebra that maps x to A~^xA, we call this a conjugation automorphism. We show in 
the first Lemma that, under certain mild condition, an automorphism of a commutative 
semisimple subalgebra of the full matrix algebra corresponds to a conjugation automor- 
phism. 

Recall that every maximal commutative semisimple algebra of the full matrix algebra 
Mm{F) over a perfect field F has dimension m over F. If F is algebraically closed 
then every commutative semisimple subalgebra of Mm{F) is in fact (upto a conjugation 
isomorphism) a subalgebra of the diagonal matrices. 

Lemma 6.1. Let C be a commutative semisimple algebra over a finite field k, let B < 
Mm{C) be a commutative semisimple C-algebra and let a be a C -automorphism of B. Let 
there be a maximal commutative semisimple subalgebra T> < Mm(C) containing B such 
that V is a free B-module. Then there exists a nonzero y G Mm{C) such that Mx £ B, 
= y~^xy. 

Proof. We get hold of this element y by reducing the question to the case of C being an 
algebraically closed field, when T) becomes a direct sum of m copies of C and B becomes 
a direct sum of r|m copies of C. In that case we can find a basis of 0-1 diagonal matrices 
for B that is permuted by a and hence construct the promised y as a permutation matrix. 

Firstly, we can assume C to be a field because if /i, . . . , /c are the simple components 
of C then clearly the /^'s are all finite fields, and we can try finding the promised yi for the 
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instance of (Dli, Bli, li). Note that since a was fixing /j, a is still a (/j)-automorphism 
of Bli and by frceness condition, Dli is still a free (;B/j)-module and it is a maximal 
commutative semisimple subalgebra of Mm{Ii)- Also, once we have the j/j, for all 1 < 
i < c, satisfying yix"' = xyi for all x G ij; it is easy to see that {yi + ■ ■ ■ + Vr) is the 
promised y. So for the rest of the proof we assume that C is a finite field extension of 
k. Secondly, notice that the condition yx'^ = xy is equivalent to the system of equations: 
yxi = xiy, . . . , yx^ = Xry for a C-basis xi, . . . ,Xr of B. In terms of the entries of the 
matrix y this is a system of homogeneous linear equations in the field C. This system has 
a nonzero solution over C iff the same system has a nonzero solution over the algebraic 
closure C of C. A solution over C gives a matrix y G Mm{C) such that yx" = xy for every 
X & B where B := C S and we extend a C-linearly to an algebra automorphism of 
B. Because k was a finite field, B < Mm{C) is a commutative semisimple algebra over C. 
Similarly, T) := C ®c D \fi n maximal commutative semisimple subalgebra of Af„,(C), and 
is also a free ^B- module. By the former condition dim^P = m and by the latter condition 
r\m. We will now focus on the instance of {V,B,C) and try to construct the promised y. 

As P is a sum of m copies of C, by an appropriate basis change we can make V the 
algebra of all diagonal matrices in Mm{C). Also, as P is a free B-module, a further basis 
change makes B the algebra generated by the matrices ei, . . . where each ej is a diagonal 
0-1 matrix having m/r consecutive I's. In that case the automorphism a has a simple 
action, namely it permutes the matrices {ei, . . . , e^}. Let y be a block r x r-matrix whose 
blocks are all m/r x m/r zero matrices except at positions i, i'^ (z^ is defined by ef = ei^), 
where the block is the m/r x m/r identity matrix. Clearly then, ej<T = y~^eiy for all 
1 < i < r and hence x"^ = y~^xy for every x G B hy extending the equalities linearly to 
B. □ 

In the second Lemma we show that a conjugation automorphism of prime order of a 
commutative semisimple subalgebra corresponds to a zero divisor of the original algebra. 

Lemma 6.2. Let A be a finite dimensional algebra over the perfect field F and let B < A 
be a commutative semisimple algebra containing -Fl^. Let r be a prime different from 
charF and let y E A be of order r such that: y~^By = B but there is an element x G B 
with y~^xy ^ x. Then the minimxil polynomial of y over F is in fact {X'^ — 1). As a 
consequence, {y — 1) and (1 + y + . . . + y^~^) is a pair of zero divisors in A. 

Proof. Let F be the algebraic closure of F. Note that in ^ := F f^p A, the minimal 
polynomial of 1 y is the same as that of y in B := F ® B remains commutative 
semisimple and conjugation by 1 y acts on it as an automorphism of order r. Thus for 
the rest of the proof we can assume F to be algebraically closed. 

As conjugation by y does not fix B, there exists a primitive idempotent e of B for which 
the elements Cj = y~^ey^ (j = 1, . . . ,r) are pairwise orthogonal primitive idempotents of 
B. This means that the corresponding left ideals Lj := Aej are linearly independent 
over F. Assume now that the minimal polynomial of y has degree less than r. So there 
are elements ao, . . . , aj—i € F, not all zero, such that Yl^j^^jV^ ~ 0- Implying that 

^Yl^j=o ^jU'' — Sj=o '^j^'^'^i = 0' this together with the fact that y-'ej's are all nonzero, 
contradicts the linear independence of Li, . . . , L^. □ 
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6.2 Proof of Application 1 

In this subsection we give the proof of Application 1: given a noncommutative algebra 
A over a finite field k, one can unconditionally find zero divisors of A in deterministic 
sub exponential time. By the preprocessing discussed in the beginning of the section it 
is clear that we need to only handle the case of ^ = Mm(C), where C is a commutative 
semisimple algebra over k. The basic idea in the algorithm then is to find a maximal 
commutative semisimple subalgebra < A, find a C-automorphism a of D, use it to 
define a subalgebra of A which is a so called cyclic algebra, and then find a zero divisor 
in this cyclic algebra by the method of [W05]. The cyclic algebras A' over C we encounter 
have two generators x, y such that for a prime r: xy = Crl/x and the multiplicative orders 
of X, y are powers of r. These algebras have the ring of quaternions as their classic special 
case, when x"^ = y^ = —1 and xy = —yx. 

Given the algebra A (with an unknown isomorphism to Mm{C)) in basis form over the 
finite field k. We can compute easily the center of A, and it will be C. We can also compute 
a maximal commutative semisimple subalgebra D of ^ by the deterministic polynomial 
time algorithm of }GIOO] (T> has an unknown isomorphism to the subalgebra of diagonal 
matrices of Mm{C)). Being maximal, D is a free module over C of rank m. By Theorem 
15.61 we can, in deterministic po/?/(m^°^'", log |„4|) time, either find a zero divisor in T) or 
compute a semiregular automorphism o" of P such that Po- = C. In the former case we are 
done, so it is the latter case that we now assume. By Lemma l6.Il there certainly exists 
a y ^ A such that d'^ = y~^dy for every d G P, so by picking a nonzero solution of the 
corresponding system of linear equations we either find a zero divisor of A or we find such 
a y. So suppose we find a y such that d" = y^^dy ^ d for every d & 'D\C. 

We can efficiently obtain a multiple M of the multiplicative order of y, ord{y), just 
by looking at the degrees of the irreducible factors of the minimal polynomial of y over k 
(this can be done deterministically without actually computing the factorization). Fix a 
prime factor r|m, as o" is a semiregular C-automorphism of D, a is of order m, hence using 
M we can replace y and cr by an appropriate power such that ord{y) is a power of r while 
ord{a) = r. By this construction, conjugation by y is now a C-automorphism u of P of 
order r. Put z := y^ , thus d = d^"^ = z~^dz for every d ^ D. Note that we can assume 
z 7^ I as otherwise (y — 1) is a zero divisor of A by Lemma 16.21 Thus an appropriate 
power, say of z has order r. Consider the subalgebra V[z\, it is commutative by the 
action of 2; on P as seen before, it can also be assumed to be semisimple as otherwise 
we can find many zero divisors by just computing its radical. So T>[z\ is a commutative 
semisimple algebra. By the maximality of P we deduce that T>[z\ = P, hence z G P and 
Cr S P- So by Lemma 14.51 we can find efficiently either a zero divisor in P or an x S P* 
such that x'^ = CrX- We assume the latter case and we replace x by an appropriate power 
so that ord{x) is an r-power. Let w := x^, as a fixes w, it has to be in C. 

Let A' := C[x,y], P^ := C[x] < A', Vy := C[y] < A' and C := C[w,z] < A'. Note that 
by the definitions oi w,z it is easy to deduce that C is in the center of A' and x,y C. 
Furthermore by xy = CrU^ it follows that the set {x^y^]! < i,j < (r — 1)} is a system of 
generators for A' as a C'-module. The relation xy = Crl/x also implies, that conjugation 
by y acts on T>x as an automorphism of order r and that the conjugation by x acts on 
T>y as an automorphism of order r. We can assume that both these C'-automorphisms are 
semiregular as otherwise we can find a zero divisor by Proposition 13. 2[ Thus both and 
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Vy are free modules over C of rank r, furthermore assume A' to be a free C-module (also 
free C'-module) or else we find a zero divisor in C (or C') by Lemma 12.21 

We can assume that w, z generate a cyclic subgroup of C otherwise by Lemma |2. II we 
can find a zero divisor in C'. If the order of z is larger than the order of w then there is a 
u £ C with = w. Put x' := u~^x, then x"" = 1 and x'y = Cr-yx', thus conjugation by x' 
gives an automorphism of "Dy, whence (x' — 1) is a zero divisor by Lemma 16.21 Similarly, 
we find a zero divisor if the order of w is larger than the order of z. Thus we can assume 
that w and z have equal orders, say r*. By looking at the elements w'^ and z*" , both 
of which have order r and they generate a cyclic group, we can find a unique < j < r 
such that ord{w^ z) < r*. We now follow the method of the proof of Theorem 5.1 of [W05] 
to find a zero divisor in A'. 

Define y' := x^y, and using {yxy"^ = C^^x) repeatedly we get, y'^ = {x^yY~'^{x^y){x^y) 
= {x^yY-^{x^y){Cr^x^^y^) = ■■■ = ('^^^'"^^^^x^'^y"' = (r^^'^'^'^'^^^wh. Thus if r is odd 
then y'^ = z, and replacing y with y' leads to the case discussed above where the order 
of the new z (i.e. z) is less than that of w (remember that xy' = CrU'x still holds), and 
we already get a zero divisor. If r = 2 then y'^ = —wz (j = 1), and the argument of the 
odd r case can be repeated except when ord{—wz) does not fall, i.e. orders are such that 
ord{wz) < ord{w) = ord{z) = ord{—wz). This case is only possible (recall z ^ 1) when 
■u; = 2; = — 1, so2;^ = y^ = — 1 and y~^xy = —x. Notice that in this case A' is like a ring 
of quaternions and we handle this case next in a standard way. 

To treat this case, by Theorem 6.1 of |W05j . one can efficiently find a, P £ k such that 

which is a contradiction. Thus, x' "Dy, in particular x' ^ ±1. While using xy = —yx we 
can deduce that x'^ = {ay + (3)x{ay + (3)x = {ay + P){-ay + /3)x^ = (a^ + /3^)(-l) = 1. 
Thus (x' — 1) is a zero divisor. This finishes the proof of Application 1 in all cases. 

6.3 Further Results on Finding Zero Divisors in Mm{C) 

In this part we briefiy outline an alternative of the approach of Application 1. Formal 
statements and details of proofs will be subject of a subsequent paper. 

Assume that A = Mm{C) for some commutative semisimple algebra C over the finite 
field k. As in the proof of Application 1, we use the method of [GlOOj to find a maximal 
semisimple subalgebra T> of A. Note that P is a free module over C of rank m. Let 
r be a prime divisor of m. Then we can use the algorithm of Theorem 15.41 to find an 
automorphism of a subalgebra B of order r in time poly {m^ , log \A\). The remaining part 
of the proof of Application 1 can be modified so that an automorphism of prime order 
of a subalgebra of D rather than one of the whole D can be used to find a zero divisor 
in A in polynomial time. This way we obtain a deterministic algorithm of complexity 
poly{m''\ log 1^1) for finding a zero divisor in an algebra A isomorphic to Mm{C), where r 
is the smallest prime divisor of m. 

Using a generalization |CIK97| of a method of |BR90j we can use the zero divisor 
obtained above to compute a subalgebra of A (in the broader sense, thus a subalgebra of a 
one-sided ideal of A) isomorphic to Mm'{C), where m' is a certain divisor of m. Iterating 
this method we ultimately find a zero divisor z oi A which is equivalent to an elementary 
matrix (a matrix having just one nonzero entry) wrt an isomorphism A = Mm{C). Then 
the left ideal Az is isomorphic to the standard module for Mm{C) (the module of column 
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vectors of length m over C). Finding such a module is equivalent to constructing an 
explicit isomorphism with Mm{C). The time complexity is poly{m'^ ,log\A\), where r is 
the largest prime divisor of m. In particular, if ^ = M2<(C), our method computes such 
an isomorphism in deterministic polynomial time. 

7 Special Finite Fields: Proof of Application 4 

In this section we assume that k = ¥p for a prime p > 3 and the prime factors of {p — 1) 
are bounded by 5. We also assume that all the algebras that appear in the section are 
completely split semisimple algebras over k, i.e. isomorphic to direct sums of copies of k. 

We first show an algorithm that constructs an r-th Kummer extension of an algebra 
given a prime r\(p — 1). We basically generalize Lemma 2.3 of |R689a] to the following 
form: 

Lemma 7.1. Assume that A is a free module over its subalgebra B of rank d. Then in 
time poly {\og\ A\, S) we can find either a zero divisor in A or an element x ^ A* with a 
power of r order, for a prime r\{p — 1), satisfying one of the following conditions: 

(1) r ^ d, X and x"" £ B, 

(2) r = d,x^^B and x""^ £ B, 

Proof. As ;B is a completely split semisimple algebra, say of dimension n over k, there 
are orthogonal primitive idempotents fi, . . . , fn such that fiB = k for all i. For an i e 
{1, . . . , n}, we can project the hypothesis to the fi component, thus dim^ fiA = d and there 
are orthogonal primitive idempotents ej^i, . . . , Ci^d of A such that fiA = ei^iA(B- • -(Bci^dA. 
As fi is an identity element of fiA we further get that fi = (e^^i + • • • + ei d)- 

Now pick an y G A\B. Suppose (for the sake of contradiction) for all 1 < i < n there 
is a single y* G k that satisfies for all 1 < i < d, ycij = yl^i^j. Then their sum gives us 
that y = X^ILi Uifi-i each y*fi £ B we further get that y £ B. This contradiction shows 
that there is an i G {1, . . . , n} and distinct E {1, . . . ,d} such that ycij = yiCij and 
yciji = y2eij' for some yi 7^ ?/2 S k. Let us fix these 2/1,2/2 for the rest of the proof, 

we do not compute them but use their existence for the correctness of the algorithm. We 
can assume y £ A* otherwise we have a zero divisor and we are done. 

Let ri , . . . , rt be the prime divisors of (p — 1) . Let us assume p > {S log p+l) as other- 
wise we can just invoke Berlekamp's polynomial factoring algorithm to find a complete split 
of A, and we are done. As p > {Slogp + 1) then there is an integer < a < {Slogp + 1) 
such that (yi + aY^ / (^2 + o-Y'^ for all £ £ {1, . . . ,t} (since there can be at most tS 
elements in ¥p satisfying at least one of these equations). We could also assume {y + a) 
to be invertible as otherwise we are done. Note that (y + aY^Cij = {yi + aY'Sij and 
(y + aY^Sij' = (y2 + aY^Sij' which together with (yi + aY' 7^ (y2 + a)'"'^ implies that 
(y + a)^^ B. Thus z := (y + a) is an element in A* for which B for £ £ {1, . . . ,t}. 

Note that z^^^ = 1, in particular z'P~^ £ B. Thus we can find two, not necessarily 
distinct, prime divisors ri and r2 of {p— 1) such that replacing z with an appropriate power 
of it we have z''^ ,z^^ ^ B but z^'^'''^ £ B. Either ri = r2 = d and we take (x, r) = (z, d), or 
1^1 7^ ^2 in which case say wlog ri ^ d and we take {x,r) = {z'^^,ri). Finally we can raise 
X by a suitable power (coprime to r) so that x has a power of r order together with the 
other properties. □ 
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For an integer m we denote by the mth cyclotomic polynomial in k[X]. Let 

ri, . . . , rt be the prime divisors of {p — 1). Then for a subset / of {1, . . . ,t} we denote the 
product Hie/'^i ''"i- Si'^^ algorithm that either finds a zero divisor in A or 

a homomorphism from an r/-th cyclotomic extension onto A. 

Lemma 7.2. Let B < A. Assume that we are also given a surjective homomorphism 
from k[X]/{^ri{X)) onto B for some subset I of{l,...,t}. Then in time poly {log \A\, S) 
we can compute either a zero divisor in A or a subalgebra B' > B of A together with a 
surjective homomorphism from k[X]/{^rj, i^)) onto B' for some subset I' C {1, . . . , t}. 

Proof. We may clearly assume that ^ is a free module (of rank d) over B. Let the prime r 
and the element x € A* be the result of an application of the algorithm of Lemma l7.1[ If 
B[x] is a proper subalgebra of A then we can solve the problem by two recursive calls: first 
on {B[x],B) and then on Thus the base case of the recursion is when ^ = 

We handle this case now. In this case clearly d < r. 

Assume case (2) i.e. d = r. We can assume A = B[x^] as otherwise the subalgebra 
i3[x'"] is a proper subalgebra of A and we can find a zero divisor because A cannot be a 
free module over this subalgebra (as dims A = r is a prime). It follows that ^rix'^) / 
because otherwise the rank of ^ as a ;S-module would be at most (p{r) < r, a contradiction. 
So we can assume x'" 7^ 1 as otherwise ^rix^)\ix^ — 1) is a zero divisor and we are done. 

2 

Thus we can find a power 7^ 1 of for which C" = 1. This means, in particular, that 
a primitive r-th root of unity is in B, and we have A = B[X]/{X'^ — x^ ). So we get 
a ;B-automorphism a of ^ that sends x^' 1-^ (^x^'. The automorphism a is of order r, is 
semiregular and satisfies A^r = B. We compute the element z := YI'^Iq x'^\ Then z'^ = z, 

therefore z ^ B. Also, z"^ = 111=0 i^^Y — If r is odd then z"^ = while 

z / Q'^x^ for all i (z, Q ^ B but x'^ B), thus {z — is a zero divisor of A, for some 

i, and we are done. If r = 2 then z^ = — x^. We use the algorithm of |Sch85| for finding 
a square root w of —1 in observe that {wz)'^ = x^. Again as wz ^ itx^ {z,w G B but 
x'^ ^ B), thus {wz — x^) is a zero divisor of A and we are done. 

Assume case (1) i.e. d < r, with x^ / 1. We could assume A = B[x] to be a free 
,B-module with the free basis {1, x, . . . , x'^~^}, as otherwise we can find a zero divisor in B 
by Lemma 12.21 Also we can find a power C 7^ 1 of x^' for which i^'' = 1. These two facts 
mean that there is a well defined endomorphism (p of A that maps x to ^x and fixes B. 
Compute the kernel J C ^ of this endomorphism. If J is nonzero then the elements of J 
are zero divisors of A (as (p cannot send a unit to zero), and we are done. If J is zero then 
(/) is a ^^-automorphism of A, clearly of order r. As dimg^ < r, (p cannot be semiregular, 
so we get a zero divisor by Proposition 13.21 and we are done. 

Finally assume again case (1) i.e. d < r, with x^ = 1. Let ^p denote the given map 
k[X]/{<^rj{X)) onto B. If r G / then put y := ip{X''i/''). Then y £ B* \ {1} because 
X^i/^ ^ ^-j^rj/r _ j^-j g^j^g coprime to <I>,.^(X) and are thus units. As x*" = y"^ but x 7^ x*y for 
all i {y & B while x ^ B), we deduce that (x — x'y) is a zero divisor for some i, and we are 
done. Assume that r /. Let /' := I U {r} and let C = fc[X]/($,.^, {X)). We now break C 
using Chinese Remaindering. Let qi be a multiple of r which is congruent to 1 modulo r/ 
and let q2 be a multiple of rj congruent 1 modulo r. Let Xi := X'^^ , X2 := X'^^ and let Ci 
resp. C2 be the subalgebras of C generated by Xi resp. X2. Then Ci = k[Xi]/{^ri{Xi)) 
and C2 = k[X2]/{^r{X2))- Let ■01 be the given surjective map from Ci onto B and let ip2 
be the map from C2 sending X2 to x. Let tp' be the map from C = Ci © C2 into A that is 
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the linear extension of the map sending = {X\,X'2) to -01(^1) "02 (-^2)- Clearly, tp' is a 
homomorphism from C to ^ and is onto (as A = B[x\). This finishes the proof. □ 

Using Lemma 17.21 as an induction tool, we obtain the following. 

Theorem 7.3. Let f{X) he a polynomial of degree n which completely splits into linear 
factors over ¥p. Let ri < . . . < rt be the prime factors of {p— 1). Then by a deterministic 
algorithm of running time poly {rt,n, log p), we can either find a nontrivial factor of f{X) 
or compute a surjective homomorphism ip from ¥p[X]/(^ri[X]) to ¥p[X]/(f(X)), where 
rj = HiG/'"* /'^'^ some subset I 0/ {1, . . . ,t} and is the cyclotomic polynomial of 

degree tiiaiin - 1). 

□ 

Note that if ip is not an isomorphism then we can break the cyclotomic ring above and 
find its invariant decomposition into ideals by Lemma [2.31 As we know the automorphism 
group of cyclotomic extension rings over Fp (and of their ideals as well), this theorem 
immediately implies the statement of Application 4. 
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